No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R013C00 Command Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
NAC Configuration Commands (Common Mode)

NAC Configuration Commands (Common Mode)

Command Support

Commands provided in this section and all the parameters in the commands are supported by all switch models by default, unless otherwise specified. For details, see specific commands.

access-user arp-detect

Function

The access-user arp-detect command sets the source IP address and source MAC address of offline detection packets in a VLAN.

The undo access-user arp-detect command deletes the source IP address and source MAC address of offline detection packets in a VLAN.

By default, the source IP address and source MAC address are not specified for offline detection packets in a VLAN.

Format

access-user arp-detect vlan vlan-id ip-address ip-address mac-address mac-address

undo access-user arp-detect vlan vlan-id ip-address ip-address mac-address mac-address

Parameters

Parameter

Description

Value

vlan vlan-id

Specifies a VLAN ID.

The value is an integer that ranges from 1 to 4094.

ip-address ip-address

Specifies the source IP address of offline detection packets.

The value is in dotted decimal notation and can be 0.0.0.0 or 255.255.255.255 or other valid IP address.

mac-address mac-address

Specifies the source MAC address of offline detection packets.

The value is a unicast MAC address in H-H-H format, where H can be one to four hexadecimal digits.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The device sends an ARP probe packet to check the user online status. If the user does not respond within a detection period, the device considers that the user is offline.

If the VLAN to which the user belongs does not have a VLANIF interface or the VLANIF interface does not have an IP address, the device sends an offline detection packet using 0.0.0.0 as the source IP address. If a user cannot respond to an ARP probe packet with the source IP address 0.0.0.0, you can specify a source IP address for the offline detection packet. You are advised to specify the user gateway IP address and its corresponding MAC address as the source IP address and source MAC address of offline detection packets.

Precautions

This function does not take effect for users who use Layer 3 Portal authentication.

If a user on a physical interface is online, this command takes effect only after the user goes online again or the device re-authenticates the user.

Example

# Set the source IP address and MAC address of offline detection packets for users in VLAN 10 to 192.168.1.1 and 2222-1111-1234 respectively.

<HUAWEI> system-view
[HUAWEI] access-user arp-detect vlan 10 ip-address 192.168.1.1 mac-address 2222-1111-1234
Related Topics

access-user arp-detect default ip-address

Function

The access-user arp-detect default ip-address command sets the default source IP address of offline detection packets.

The undo access-user arp-detect default ip-address command restores the default setting.

By default, the default source IP address of offline detection packets is 0.0.0.0.

Format

access-user arp-detect default ip-address ip-address

undo access-user arp-detect default ip-address

Parameters

Parameter

Description

Value

ip-address

Specifies the default source IP address of offline detection packets.

The value is in dotted decimal notation and can be 0.0.0.0 or 255.255.255.255 or other valid IP address.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The device sends an ARP probe packet to check the user online status. If the user does not respond within a detection period, the device considers that the user is offline.

Precautions

This function does not take effect for users who use Layer 3 Portal authentication.

Example

# Set the default source IP address of offline detection packets to 0.0.0.0.

<HUAWEI> system-view
[HUAWEI] access-user arp-detect default ip-address 0.0.0.0

access-user arp-detect delay

Function

The access-user arp-detect delay command configures the delay for sending offline detection packets.

The undo access-user arp-detect delay command deletes the configured delay for sending offline detection packets.

By default, no delay for sending offline detection packets is configured.

Format

access-user arp-detect delay delay

undo access-user arp-detect delay

Parameters

Parameter

Description

Value

delay Specifies the delay for sending offline detection packets. The value is an integer in the range from 1 to 120, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

A Windows client on the network sends a detection packet with the source address 0.0.0.0 after obtaining an IP address. If the device also initiates an ARP probe with the source address 0.0.0.0, a conflict occurs. To prevent this conflict, you can run the access-user arp-detect delay command to set the delay for sending offline detection packets. Typically, detection initiated by a Windows client takes 10 seconds. Therefore, a delay longer than 10 seconds is recommended.

Example

# Set the delay for sending offline detection packets to 20 seconds.

<HUAWEI> system-view
[HUAWEI] access-user arp-detect delay 20

access-user arp-detect fallback

Function

The access-user arp-detect fallback command configures an IP address required for calculating the source address of offline detection packets.

The undo access-user arp-detect fallback command deletes the IP address configured for calculating the source address of offline detection packets.

By default, no IP address is configured for the device to calculate the source address of offline detection packets.

Format

access-user arp-detect fallback ip-address { mask | mask-length }

undo access-user arp-detect fallback

Parameters

Parameter

Description

Value

ip-address Specifies the IP address required for calculating the source address of offline detection packets. The value is in dotted decimal notation.
mask Specifies the mask of the IP address. The value is in dotted decimal notation.

After the mask is converted into a binary number, all bits before the last 1 must be 1s. That is, 1s in the mask must be continuous and there cannot be any 0s before the last 1.

mask-length Specifies the mask length of the IP address.

The value is an integer in the range from 0 to 32.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the device does not function as a gateway, it can send offline detection packets with the source address on the same network segment as clients. This source address is calculated based on the client network segment and the IP address specified in the access-user arp-detect fallback command. The operation AND is performed between this specified IP address and the wildcard mask to obtain result 1. Then result 1 is added to the network segment of clients to get the source address of offline detection packets. For example, if the network segment of clients is 192.168.1.0/24 and access-user arp-detect fallback 0.0.0.11 24 is configured, the source address of offline detection packets is 192.168.1.11. The calculated source address must be excluded from the address pool of the DHCP server to prevent IP address conflicts.

Precautions

This function does not take effect for users who use Layer 3 Portal authentication.

This command is effective for online users connected to physical interfaces only after the users go online again or the device re-authenticates the users.

Example

# Set the IP address required for calculating the source address of offline detection packets to 0.0.0.11.

<HUAWEI> system-view
[HUAWEI] access-user arp-detect fallback 0.0.0.11 24

access-user dot1x-identity speed-limit

Function

The access-user dot1x-identity speed-limit command configures the rate limit of Identity packets for 802.1X authentication to be sent to the CPU.

The undo access-user dot1x-identity speed-limit command restores the default rate limit of Identity packets for 802.1X authentication to be sent to the CPU.

By default, the maximum of Identity packets for 802.1X authentication can be sent to the CPU every second depends on the device.

Format

access-user dot1x-identity speed-limit value

undo access-user dot1x-identity speed-limit [ value ]

Parameters

Parameter Description Value
value Specifies the rate limit of Identity packets for 802.1X authentication to be sent to the CPU. The value is an integer in the range of 5 to 2000, in pps.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

If a large number of Identity packets for 802.1X authentication are sent to the CPU of a switch, the CPU usage is high and other services are affected. To prevent this problem, run the access-user dot1x-identity speed-limit command to configure the rate limit of Identity packets for 802.1X authentication to be sent to the CPU, so that the switch discards excess Identity packets.

Example

# Set the rate limit of Identity packets for 802.1X authentication to be sent to the CPU to 10 pps.

<HUAWEI> system-view
[HUAWEI] access-user dot1x-identity speed-limit 10

access-user syslog-restrain enable

Function

The access-user syslog-restrain enable command enables system log suppression.

The undo access-user syslog-restrain enable command disables system log suppression.

By default, system log suppression is enabled.

Format

access-user syslog-restrain enable

undo access-user syslog-restrain enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When a user fails in authentication or goes offline, the device records a system log. The system log contains the MAC addresses of access device and access user and the authentication time.

If a user repeatedly attempts to go online after authentication failures or frequently goes online and offline in a short period, a lot of system logs are generated, which waste system resources and degrade system performance. System log suppression can address this problem. After the device generates a system log, it will not generate the same log within the suppression period (set by access-user syslog-restrain period).

NOTE:

The same system logs refer to the system logs containing the same MAC addresses. For example, after the device generates a system log for a user failing in authentication, the device will not generate new system log for this user in the suppression period if the user fails in authentication again. The system logs for users logging offline are generated in the same way.

Example

# Enable system log suppression.

<HUAWEI> system-view
[HUAWEI] access-user syslog-restrain enable

access-user syslog-restrain period

Function

The access-user syslog-restrain period command sets a period for system log suppression.

The undo access-user syslog-restrain period command restores the default period for system log suppression.

By default, the period of system log suppression is 300s.

Format

access-user syslog-restrain period period

undo access-user syslog-restrain period

Parameters

Parameter

Description

Value

period

Specifies the period for system log suppression.

The value is an integer that ranges from 60 to 604800, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After the system log suppression function is enabled using the access-user syslog-restrain enable command, use this command to set the system log suppression period. After generating a system log, the device will not generate the same log within the suppression period.

Example

# Set the period for system log suppression to 600s.

<HUAWEI> system-view
[HUAWEI] access-user syslog-restrain period 600

acl authorization statistics enable

Function

The acl authorization statistics enable command enables statistics collection on packets that match the ACLs assigned for authorization.

The undo acl authorization statistics enable command disables statistics collection on packets that match the ACLs assigned for authorization.

By default, statistics collection on packets that match the ACLs assigned for authorization is disabled.

Format

acl authorization statistics enable

undo acl authorization statistics enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

On a live network, the authentication server may assign ACLs to users who pass NAC authentication to grant the users access to the network. You can run the acl authorization statistics enable command to check the number of user packets that match the assigned ACLs.

Precautions

The function takes effect only for users who go online after this function is enabled.

Example

# Enable statistics collection on packets that match the ACLs assigned for authorization.

<HUAWEI> system-view
[HUAWEI] acl authorization statistics enable

acl-id (user group view)

Function

The acl-id command binds an ACL to a user group.

The undo acl-id command unbinds an ACL from a user group.

By default, no ACL is bound to a user group.

Format

acl-id acl-number

undo acl-id { acl-number | all }

Parameters

Parameter Description Value
acl-number Specifies the number of an ACL bound to a user group. The value is an integer that ranges from 3000 to 3999.
all

Deletes all ACL rules bound to a user group.

-

Views

User group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After a user group is created using the user-group command, you can run the acl-id acl-number command to bind an ACL to the user group, so that users in the user group share an ACL.
NOTE:

Before an ACL is bound to the user group, do not run the user-group enable command to enable the user group; otherwise, the ACL cannot be bound to the user group.

Prerequisites

The ACL has been created using the acl (system view) or acl name command and ACL rules have been configured using the rule command.

Precautions
  • When different types of boards are installed, the minimum board specifications are used for the ACL rules delivered by a user group.

  • The ACL bound to a user group cannot be modified or deleted in the system view.

  • If no ACL rule is configured for a user group, the device does not restrict the network access rights of users in the user group.

  • When configuring ACL rules in a user group, create a rule that rejects all network access requests and ensure that the rule can take effect.

  • If all users in a group are required to have the same access rights, do not specify the source IP address in the ACL bound to the user group. If an ACL bound to a user group has defined the source IP address, only users with the same IP address as the source IP address in the ACL can match the ACL in the user group.

Example

# Bind ACL 3001 to the user group abc.

<HUAWEI> system-view
[HUAWEI] acl 3001
[HUAWEI-acl-adv-3001] rule 5 deny ip destination 192.168.5.0 0.0.0.255
[HUAWEI-acl-adv-3001] quit
[HUAWEI] user-group abc
[HUAWEI-user-group-abc] acl-id 3001

authentication critical eapol-success

Function

The authentication critical eapol-success command configures the device to send an Eapol-Success packet to a user after the user is added to the critical VLAN.

The undo authentication critical eapol-success command configures the device to send an Eapol-Fail packet to a user after the user is added to the critical VLAN.

By default, an Eapol-Fail packet is sent to a user after the user is added to the critical VLAN.

Format

In the system view:

authentication critical eapol-success interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

undo authentication critical eapol-success interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

In the interface view:

authentication critical eapol-success

undo authentication critical eapol-success

Parameters

Parameter

Description

Value

interface { interface-type interface-number1 [ to interface-number2 ] }

Specifies the interface type and number.

  • interface-type specifies the interface type.
  • interface-number1 specifies the number of the first interface.
  • interface-number2 specifies the number of the last interface.

-

Views

System view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

After a user is added to the critical VLAN because the authentication server does not respond, the device can be configured to send an Eapol-Success or Eapol-Fail packet to the user to prevent the user from continuously sending access request packets. After receiving the Eapol-Success packet or Eapol-Fail packet, the user stops attempting to go online by sending the access request packet repeatedly, which prevents the device performance from degrading.

The user receiving the Eapol-Success packet can still obtain the IP address through a DHCP packet, while the user receiving the Eapol-Fail packet fails to do so. The administrator can configure the device to send an Eapol-Success or Eapol-Fail packet as required.

Example

# Configure the device to send an Eapol-Success packet to a user after the user is added to the critical VLAN on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] authentication critical eapol-success

authentication critical-vlan

Function

The authentication critical-vlan command configures a critical VLAN on an interface.

The undo authentication critical-vlan command deletes a critical VLAN from an interface.

By default, no critical VLAN is configured on an interface.

Format

In the system view:

authentication critical-vlan vlan-id interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

undo authentication critical-vlan [ vlan-id ] interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

In the interface view:

authentication critical-vlan vlan-id

undo authentication critical-vlan [ vlan-id ]

Parameters

Parameter

Description

Value

vlan-id

Specifies the VLAN ID of a critical VLAN.

The value is an integer that ranges from 1 to 4094.

interface { interface-type interface-number1 [ to interface-number2 ] }

Specifies the interface type and number.

  • interface-type specifies the interface type.
  • interface-number1 specifies the number of the first interface.
  • interface-number2 specifies the number of the last interface.

-

Views

System view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A critical VLAN is authorized for users when the authentication server does not respond.

When the access device cannot communicate with the RADIUS server or the RADIUS server fails, the authentication process on the network is interrupted and users cannot pass the authentication. After the critical VLAN function of the device is enabled, the device sets the state flag of the authentication server to Down and adds the users to the critical VLAN. In this way, the users can access resources in the critical VLAN without being authenticated.

Precautions

  • This command is only valid for 802.1X authentication and MAC address authentication.
  • The XGE interface connected to ET1D2IPS0S00, ET1D2FW00S00, ET1D2FW00S01, or ET1D2FW00S02 does not support the critical VLAN function in MAC address authentication.
  • If the free-ip function is configured, the critical VLAN function becomes invalid immediately.
  • To make the VLAN authorization function take effect, the link type and access control mode of the authentication interface must meet the following requirements:
    • When the link type is hybrid in untagged mode, the access control mode can be based on the MAC address or interface.
    • When the link type is access or trunk, the access control mode can only be based on the interface.

Example

# In the system view, configure 802.1X authentication for the users using Port address-based access method on GE1/0/1 and set the critical VLAN to VLAN 20.

<HUAWEI> system-view
[HUAWEI] vlan batch 20
[HUAWEI] dot1x enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] port link-type hybrid
[HUAWEI-GigabitEthernet1/0/1] quit
[HUAWEI] dot1x enable interface gigabitethernet 1/0/1
[HUAWEI] dot1x port-method port interface gigabitethernet 1/0/1
[HUAWEI] authentication critical-vlan 20 interface gigabitethernet 1/0/1

# In the interface view, enable MAC address authentication on GE1/0/1 and set the critical VLAN to VLAN 20.

<HUAWEI> system-view
[HUAWEI] vlan batch 20
[HUAWEI] mac-authen
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] port link-type hybrid
[HUAWEI-GigabitEthernet1/0/1] mac-authen
[HUAWEI-GigabitEthernet1/0/1] authentication critical-vlan 20

authentication device-type voice authorize

Function

The authentication device-type voice authorize command enables voice terminals to go online without authentication.

The undo authentication device-type voice authorize command disables voice terminals from going online without authentication.

By default, voice terminals are disabled from going online without authentication.

Format

authentication device-type voice authorize [ user-group group-name ]

undo authentication device-type voice authorize [ user-group ]

Parameters

Parameter

Description

Value

user-group group-name Specifies the name of the user group based on which network access rights are assigned to voice terminals. The value must be an existing user group name.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When both data terminals (such as PCs) and voice terminals (such as IP phones) are connected to switches, NAC is configured on the switches to manage and control the data terminals. The voice terminals, however, only need to connect to the network without being managed and controlled. In this case, you can configure the voice terminals to go online without authentication on the switches. Then the voice terminals identified by the switches can go online without authentication.

Precautions

To enable the switches to identify the voice terminals, enable LLDP or configure OUI for the voice VLAN on the switches. For details, see Configuring Basic LLDP Functions in "LLDP Configuration" in the S12700 V200R013C00 Configuration Guide - Network Management and Monitoring or Configuring a Voice VLAN Based on a MAC Address in "Voice VLAN Configuration" in the S12700 V200R013C00 Configuration Guide - Ethernet Switching. If a voice device supports only CDP but does not support LLDP, configure CDP-compatible LLDP on the switch using lldp compliance cdp receive command.

If an 802.1X user initiates authentication through a voice terminal, a switch preferentially processes the authentication request. If the authentication succeeds, the terminal obtains the corresponding network access rights. If the authentication fails, the switch identifies the terminal type and enables the terminal to go online without authentication.

Voice terminals can obtain the corresponding network access rights after they pass authentication and go online, when user-group group-name is not specified. When user-group group-name is specified, voice terminals can obtain the network access rights specified by the user group after they go online. To use a user group to define network access rights for voice terminals, run the user-group group-name command to create a user group and configure network authorization information for the users in the group. Note that the user group takes effect only after it is enabled.

If you run this command repeatedly, the latest configuration overrides the previous ones.

This function takes effect only for users who go online after this function is successfully configured.

Example

# Enable voice terminals to go online without authentication.

<HUAWEI> system-view
[HUAWEI] authentication device-type voice authorize

authentication event

Function

The authentication event command grants network access rights to users in different authentication stages.

The undo authentication event command cancels network access rights of users in different authentication stages.

By default, no network access right is granted to users in different authentication stages.

Format

  • Command for 802.1X authentication:

    System view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view:

    authentication event { pre-authen | authen-fail | authen-server-down | client-no-response } { vlan vlan-id | user-group group-name }

    undo authentication event { pre-authen | authen-fail | authen-server-down | client-no-response }

  • Command for MAC address authentication:

    System view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view:

    authentication event { pre-authen | authen-fail | authen-server-down } { vlan vlan-id | user-group group-name }

    undo authentication event { pre-authen | authen-fail | authen-server-down }

    VLANIF interface view:

    authentication event { authen-fail | authen-server-down } user-group group-name

    undo authentication event { authen-fail | authen-server-down }

  • Command for portal authentication:

    System view:

    authentication event { pre-authen | authen-fail | authen-server-down } user-group group-name

    undo authentication event { pre-authen | authen-fail | authen-server-down }

    VLANIF interface view:

    authentication event { authen-fail | authen-server-down } user-group group-name

    undo authentication event { authen-fail | authen-server-down }

Parameters

Parameter Description Value
pre-authen

Specifies the network access rights granted to users before authentication starts.

In an 802.1X authentication, when a device receives an ARP or DHCP request packet sent from a user terminal, but not an authentication request packet from an 802.1X client, the device grants the pre-authen right to the user. If only this parameter is specified but the network access rights are not configured for other events, the device grants the pre-authen right to the users failing in authentication.

In a MAC address or Portal authentication, if only this parameter is specified but the network access rights are not configured for other events, the device grants the pre-authen right to the users failing in authentication.

-

authen-fail

Specifies the network access rights granted to users when authentication fails.

The device grants this right to all users who have failed in authentication.

-

authen-server-down

Specifies the network access rights granted to users when the authentication server does not respond.

If both the authen-server-down and authen-fail parameters are specified, the authen-server-down parameter takes effect if the authentication server does not respond.

-

client-no-response

Specifies the network access rights granted to users when the 802.1X client does not respond.

If both the client-no-response and authen-fail parameters are specified, the client-no-response parameter takes effect if the 802.1X client does not respond.

-

vlan vlan-id

Specifies a VLAN ID. When this parameter is specified, the user can access only the resources in the VLAN.

The value is an integer that ranges from 1 to 4094.

user-group group-name

Specifies a user group. When this parameter is specified, the user can access the resources defined for the user group.

The value must be an existing service scheme name.

Views

System view, VLANIF interface view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To grant different network access rights to users in different stages, you can use this command.

Prerequisites

The 802.1X authentication, MAC address authentication, or Portal authentication has been enabled.

Precautions

  • If the command is executed in both the interface view and system view, the configuration in interface view takes effect.
  • This function takes effect only for users who go online after this function is successfully configured.

  • If the user-group parameter is specified in the command, only the network access rights (that is, the ACL and VLAN bound to the user group) configured for the user group take effect.
  • If the network access rights specified in the authentication event command were defined by a user group, the dot1x free-ip command configured in the system view cannot take effect and the dot1x free-ip command configured in the interface view does not take effect for the interface.
  • If the user-group parameter is specified in the command and the destination network access rights in the authentication-free rule configured by portal free-rule is the same as that defined for the user group, the authentication-free rule does not take effect.

Example

# On GE1/0/1, allow users to access resources in VLAN 10 when authentication fails.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] authentication event authen-fail vlan 10

authentication event response-fail

Function

The authentication event response-fail command configures the device to return an authentication failure packet when a user fails in authentication or the authentication server does not respond.

The undo authentication event response-fail command restores the default configuration.

By default, the device returns an authentication success packet when a user fails in authentication or the authentication server does not respond.

Format

authentication event { authen-fail | authen-server-down } response-fail

undo authentication event { authen-fail | authen-server-down } response-fail

Parameters

Parameter Description Value
authen-fail

Specifies that the device returns an authentication failure packet to the 802.1X client or portal server when a user fails in authentication.

-

authen-server-down

Specifies that the device returns an authentication failure packet to the 802.1X client or portal server when the authentication server does not respond.

-

Views

System view, VLANIF interface view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the authentication event command is executed to configure the network access right used when a user fails in authentication or the authentication server does not respond, the device returns an authentication success packet to the 802.1X client or portal server by default. Therefore, the user does not know the authentication failure and only limited network resources can be accessed. The user cannot use the expected service.

You can use this command to configure the device to return an authentication failure packet to the 802.1X clientor portal server . In 802.1X authentication, the 802.1X client notifies the user of authentication failure. In portal authentication, the portal server pushes an authentication failure message to the user. The user then choose whether to perform reauthentication.

Precautions

  • If the command is executed in both the interface view and system view, the configuration in interface view takes effect.
  • This function takes effect only for users who go online after this function is successfully configured.

  • This command is only applicable to the 802.1X authentication and Portal authentication.

Example

# Configure GE1/0/1 to return an authentication failure packet to the 802.1X client or portal server when a user fails in authentication.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] authentication event authen-fail response-fail
Related Topics

authentication event session-timeout

Function

The authentication event session-timeout command sets the timeout period of network access rights granted to users in different authentication stages.

The undo authentication event session-timeout command restores the default timeout period.

By default, the timeout period of network access rights granted to users is 15 minutes.

Format

System view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view

authentication event { pre-authen | authen-fail | authen-server-down | client-no-response } session-timeout session-time

undo authentication event { pre-authen | authen-fail | authen-server-down | client-no-response } session-timeout

VLANIF interface view

authentication event { pre-authen | authen-fail | authen-server-down } session-timeout session-time

undo authentication event { pre-authen | authen-fail | authen-server-down } session-timeout

Parameters

Parameter Description Value
pre-authen

Specifies the timeout period of the network access rights granted to users before authentication starts.

-

authen-fail

Specifies the timeout period of the network access rights granted to users when authentication fails.

-

authen-server-down

Specifies the timeout period of the network access rights granted to users when the authentication server does not respond.

-

client-no-response

Specifies the timeout period of the network access rights granted to users when the 802.1X client does not respond.

This parameter is only valid for 802.1X authentication.

-

session-time

Specifies the value of timeout period.

If the user still fails to be authenticated when the user aging time expires, the user entry is deleted.

The value is an integer that ranges from 0 to 71581, in minutes.

Views

System view, VLANIF interface view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After you run the authentication event command to grant the network access rights to users in different authentication stages, you can run the authentication event session-timeout command to specify the timeout period for the network access rights. Users can access the authorized resources within the timeout period, and will be forced to go offline after the timeout period expires.

If the aging time is set to 0, the network access rights granted to the user will not expire. To disconnect the user from the network, run the cut access-user command on the device or configure the authentication server to deliver an offline message to the user.

Precautions

The timeout period set in the VLANIF interface view is not applicable to 802.1X authentication.

If this command is only run in the system view, the configuration takes effect on all interfaces. If this command is run in both the system view and interface view, the configuration on interfaces takes precedence over the global configuration.

This function takes effect only for users who go online after this function is successfully configured.

Example

# On interface GE1/0/1, set the timeout period of the network access rights granted to users when authentication fails to 100 minutes.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] authentication event authen-fail session-timeout 100
Related Topics

authentication guest-vlan

Function

The authentication guest-vlan command configures a guest VLAN on an interface.

The undo authentication guest-vlan command deletes a guest VLAN from an interface.

By default, no guest VLAN is configured on an interface.

Format

In the system view:

authentication guest-vlan vlan-id interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

undo authentication guest-vlan [ vlan-id ] interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

In the interface view:

authentication guest-vlan vlan-id

undo authentication guest-vlan [ vlan-id ]

Parameters

Parameter

Description

Value

vlan-id

Specifies the ID of a guest VLAN.

The value is an integer that ranges from 1 to 4094.

interface { interface-type interface-number1 [ to interface-number2 ] }

Specifies the interface type and number.

  • interface-type specifies the interface type.
  • interface-number1 specifies the number of the first interface.
  • interface-number2 specifies the number of the last interface.

-

Views

System view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

During 802.1X authentication and MAC address authentication, a guest VLAN allows users to access limited resources without authentication. The device supports the guest VLAN function.

Users in the guest VLAN can access resources in the guest VLAN without authentication but must be authenticated when they access external resources.

NOTE:
  • The restrict VLAN is for the users who fail the authentication, while the guest VLAN is for the users who are not authenticated.

  • If only a guest VLAN is configured but no restrict VLAN is configured, the users who fail the authentication are added to the guest VLAN.

Prerequisites

The VLAN to be configured as the guest VLAN must have been created.

802.1X authentication has been enabled globally and on the interface using the dot1x enable command, or MAC address authentication has been enabled globally and on the interface using the mac-authen command.

Precautions

  • The guest VLAN function can take effect only in 802.1X and MAC address authentication.
  • A super VLAN cannot be configured as a guest VLAN.
  • When free IP subnets are configured, the guest VLAN function becomes invalid immediately.
  • The guest VLAN function takes effect only when a user sends untagged packets to the device.
  • Different interfaces can be configured with different guest VLANs. After a guest VLAN is configured on an interface, the guest VLAN cannot be deleted.
  • To make the VLAN authorization function take effect, the link type and access control mode of the authentication interface must meet the following requirements:
    • When the link type is hybrid in untagged mode, the access control mode can be based on the MAC address or interface.
    • When the link type is access or trunk, the access control mode can only be based on the interface.

Example

# In the system view, configure 802.1X authentication for the users using Port-based access method on GE1/0/1 and set the guest VLAN to VLAN 20.
<HUAWEI> system-view
[HUAWEI] vlan batch 20
[HUAWEI] dot1x enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] port link-type hybrid
[HUAWEI-GigabitEthernet1/0/1] quit
[HUAWEI] dot1x enable interface gigabitethernet 1/0/1
[HUAWEI] dot1x port-method port interface gigabitethernet 1/0/1
[HUAWEI] authentication guest-vlan 20 interface gigabitethernet 1/0/1

# In the interface view, enable MAC address authentication on GE1/0/1 and set the guest VLAN to VLAN 20.

<HUAWEI> system-view
[HUAWEI] vlan batch 20
[HUAWEI] mac-authen
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] port link-type hybrid
[HUAWEI-GigabitEthernet1/0/1] mac-authen
[HUAWEI-GigabitEthernet1/0/1] authentication guest-vlan 20

authentication mac-move enable

Function

The authentication mac-move enable command enables MAC address migration.

The undo authentication mac-move enable command disables MAC address migration.

By default, MAC address migration is disabled.

Format

authentication mac-move enable vlan { all | { vlan-id1 [ to vlan-id2 ] } & <1–10> }

undo authentication mac-move enable vlan { all | { vlan-id1 [ to vlan-id2 ] } & <1–10> }

Parameters

Parameter

Description

Value

vlan Specifies the VLAN range for enabling MAC address migration.

-

all Enables MAC address migration in all VLANs.

-

vlan-id1 [ to vlan-id2 ] Enables MAC address migration in the specified VLANs.
  • vlan-id1 specifies the ID of the first VLAN.
  • vlan-id2 specifies the ID of the second VLAN. The value of vlan-id2 must be greater than that of vlan-id1.

The value is an integer that ranges from 1 to 4094.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After a user is authenticated and accesses the network from one interface of the device, the network cable is pulled out from the interface and plugged in another interface on the device. In this case, the user cannot immediately initiate authentication and access the network. The user can initiate authentication on the current interface only after the user offline detection interval expires or the authentication interface is manually enabled and shut down to clear user online entries. To improve user experience, MAC address migration is enabled so that the user can immediately initiate authentication and access the network after be switched to another access interface.

MAC address migration allows online NAC authentication users to immediately initiate authentication and access the network after they are switched to other access interfaces. If the user is authenticated successfully on the new interface, the online user entry on the original interface is deleted immediately to ensure that only one interface records the online user entry.

In addition, VLANs need to be specified for users in MAC address migration. The VLANs before and after the migration can be specified for the users, and they can be the same or different.

Precautions

  • In normal case, enabling MAC address migration is not recommended. It should be enabled only when users have migration requirements during roaming. This prevents unauthorized users from forging MAC addresses of online users and sending ARP, 802.1X, or DHCP packets on other authentication control interfaces to trigger the MAC address migration function and force authorized user offline.

  • Cascading migration through intermediate devices is not supported, because ARP and DHCP packets are not sent after the cascading migration.
  • MAC address migration is not supported for Layer 3 Portal authentication users and PPPoE authentication users.
  • In the Layer 2 BNG scenario, the device does not support MAC address migration.
  • A user is switched from an interface configured with NAC authentication to another interface not configured with NAC authentication. In this case, the user can access the network only after the original online entry is aged because the new interface cannot send authentication packets to trigger MAC migration.
  • In common mode, Portal authentication is triggered only after users who go online through a VLANIF interface send ARP packets and go offline; otherwise, the users can go online again only after the original user online entries age out. Portal authentication cannot be triggered after users who go online through physical interfaces migrate. The users can go online again only after the original user online entries age out.
  • After a user who goes online from a VLANIF interface is quieted because of multiple MAC address migrations, MAC address migration can be performed for the quieted user only after the quiet period expires and the ARP entry is aged out.
  • When an authorized VLAN is specified in the authentication mac-move enable vlan command, you are advised to enable the function of detecting the user status before user MAC address migration.

Example

# Enable MAC address migration in all VLANs.

<HUAWEI> system-view
[HUAWEI] authentication mac-move enable vlan all

authentication mac-move detect enable

Function

The authentication mac-move detect enable command enables a device to detect users' online status before user MAC address migration.

The undo authentication mac-move detect enable command disables a device from detecting users' online status before user MAC address migration.

By default, a device is disabled from detecting users' online status before user MAC address migration.

Format

authentication mac-move detect enable

undo authentication mac-move detect enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

To prevent unauthorized users from spoofing online users to attack a device, run the authentication mac-move detect enable command to enable the device to detect users' online status before user MAC address migration. If no users are online, the device permits MAC address migration and allows users to go online from a new access interface. If a user is online, the device terminates MAC address migration and does not allow the user to go online from a new access interface.

You can also run the authentication mac-move detect retry-interval retry-time command to set the detection interval and maximum number of detections before user MAC address migration.

Example

# Enable a device to detect users' online status before user MAC address migration.

<HUAWEI> system-view
[HUAWEI] authentication mac-move detect enable

authentication mac-move detect retry-interval retry-time

Function

The authentication mac-move detect retry-interval retry-time command sets the detection interval and maximum number of detections before user MAC address migration.

The undo authentication mac-move detect retry-interval retry-time command restores the default setting.

By default, a device detects users' online status once. The detection interval is 3 seconds.

Format

authentication mac-move detect { retry-interval interval | retry-time times } *

undo authentication mac-move detect { retry-interval | retry-time } *

Parameters

Parameter

Description

Value

interval

Specifies the interval at which a device detects users' online status before user MAC address migration.

The value is an integer that ranges from 1 to 5, in seconds.

times

Specifies the maximum number of detections before user MAC address migration.

The value is an integer that ranges from 1 to 3.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After a device is enabled to detect users' online status before user MAC address migration, you can run the authentication mac-move detect { retry-interval interval | retry-time times } * command to modify the default detection interval and maximum number of detections.

Example

# Configure a device to detect users' online status twice at an interval of 5 seconds before user MAC address migration.

<HUAWEI> system-view
[HUAWEI] authentication mac-move detect retry-interval 5 retry-time 2

authentication mac-move quiet-log enable

Function

The authentication mac-move quiet-log enable command enables the device to record logs about MAC address migration quiet.

The undo authentication mac-move quiet-log enable command disables the device from recording logs about MAC address migration quiet.

By default, the device is enabled to record logs about MAC address migration quiet.

Format

authentication mac-move quiet-log enable

undo authentication mac-move quiet-log enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

The device can record logs when adding or deleting MAC address migration quiet entries. This helps the administrator to find out the cause for MAC address migration failure, and improves maintainability of the MAC address migration quiet function.

Example

# Enable the device to record logs about MAC address migration quiet.

<HUAWEI> system-view
[HUAWEI] authentication mac-move quiet-log enable

authentication mac-move quiet-times quiet-period

Function

The authentication mac-move quiet-times quiet-period command configures the quiet period and the maximum number of MAC address migration times within 60 seconds before users enter the quiet state.

The undo authentication mac-move quiet-times quiet-period command restores the default settings.

The default quiet period is 0 seconds and the maximum number of MAC address migration times within 60 seconds before users enter the quiet state is 3.

Format

authentication mac-move { quiet-times times | quiet-period quiet-value } *

undo authentication mac-move { quiet-times | quiet-period } *

Parameters

Parameter

Description

Value

times

Specifies the maximum number of MAC address migration times within 60 seconds before users enter the quiet state.

The value is an integer that ranges from 1 to 10.

quiet-value

Specifies the quiet period for MAC address migration users.

The value is an integer that ranges from 0 to 3600.

The value 0 indicates that the MAC address migration quiet function is disabled.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When users frequently switch access interfaces (especially frequent switching due to loops), the device needs to process a large number of authentication packets and entries, which results in high CPU usage. To solve this problem, configure the MAC address migration quiet function.

If the number of MAC address migration times for a user within 60 seconds exceeds the value (times) after the MAC address migration quiet function is enabled, the device quiets the user for a certain period (quiet-value). During the quiet period, the device does not allow users to perform MAC address migration.

Example

# Configure the quiet period to 120 seconds and the maximum number of MAC address migration times within 60 seconds before users enter the quiet state to 5.

<HUAWEI> system-view
[HUAWEI] authentication mac-move quiet-times 5 quiet-period 120

authentication mac-move quiet-user-alarm enable

Function

The authentication mac-move quiet-user-alarm enable command enables the device to send alarms about MAC address migration quiet.

The undo authentication mac-move quiet-user-alarm enable command disables the device from sending alarms about MAC address migration quiet.

By default, the device is disabled from sending alarms about MAC address migration quiet.

Format

authentication mac-move quiet-user-alarm enable

undo authentication mac-move quiet-user-alarm enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

The device can send alarms about MAC address migration quiet to improve maintainability of the MAC address migration quiet function. The device sends alarms when the percentage of the actual user amount in the MAC address migration quiet table against the maximum number of users exceeds the upper alarm threshold configured. If the percentage decreases to be equal to or smaller than the lower alarm threshold, the device sends a clear alarm. The upper and lower alarm thresholds are configured using the authentication mac-move quiet-user-alarm percentage command.

Example

# Enable the device to send alarms about MAC address migration quiet.

<HUAWEI> system-view
[HUAWEI] authentication mac-move quiet-user-alarm enable

authentication mac-move quiet-user-alarm percentage

Function

The authentication mac-move quiet-user-alarm percentage command configures the upper and lower alarm thresholds for the percentage of MAC address migration users in quiet state.

The undo authentication mac-move quiet-user-alarm percentage command restores the default setting.

By default, the lower alarm threshold is 50 and upper alarm threshold is 100.

Format

authentication mac-move quiet-user-alarm percentage lower-threshold upper-threshold

undo authentication mac-move quiet-user-alarm percentage

Parameters

Parameter

Description

Value

lower-threshold

Specifies the lower alarm threshold.

The value is an integer that ranges from 1 to 100.

upper-threshold

Specifies the upper alarm threshold.

The value is an integer that ranges from 1 to 100.

The value must be greater than that of lower-threshold.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

The authentication mac-move quiet-user-alarm enable command can be run to enable the device to send alarms about MAC address migration quiet to improve maintainability of the MAC address migration quiet function. The device sends alarms when the percentage of the actual user amount in the MAC address migration quiet table against the maximum number of users exceeds the upper alarm threshold configured. If the percentage decreases to be equal to or smaller than the lower alarm threshold, the device sends a clear alarm. The upper and lower alarm thresholds are configured using the authentication mac-move quiet-user-alarm percentage command.

Example

# Configure the upper alarm threshold to 80 and lower alarm threshold to 40.

<HUAWEI> system-view
[HUAWEI] authentication mac-move quiet-user-alarm percentage 40 80

authentication max-reauth-req

Function

The authentication max-reauth-req command sets the maximum number of re-authentication attempts for users in a critical VLAN.

The undo authentication max-reauth-req command restores the default setting.

By default, the maximum number of re-authentication attempts is 20 for users in a critical VLAN.

Format

In the system view:

authentication max-reauth-req times interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

undo authentication max-reauth-req [ times ] interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

In the interface view:

authentication max-reauth-req times

undo authentication max-reauth-req [ times ]

Parameters

Parameter

Description

Value

times

Specifies the maximum number of re-authentication attempts.

The value is an integer that ranges from 1 to 20. The default value is 20.

interface { interface-type interface-number1 [ to interface-number2 ] }

Specifies the interface type and number.

  • Interface-type specifies the interface type.
  • interface-number1 specifies the number of the first interface.
  • interface-number2 specifies the number of the last interface.

-

Views

System view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

When the authentication server maintained by the device turns to the Up state, the device triggers re-authentication for users already added to the critical VLAN. If the authentication is successful, the users exit the critical VLAN. However, if the re-authentication fails due to reasons such as the fault of the access user's client, the repeated re-authentication degrades the device performance. After the maximum number of re-authentication attempts is set for users in the critical VLAN, the device forces the user to exit the critical VLAN if the user fails the authentication the specified number of times.

Example

# Set the maximum number of re-authentication attempts for users in the critical VLAN to 5 on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] authentication max-reauth-req 5 interface gigabitethernet 1/0/1

authentication open

Function

The authentication open command enables the NAC open function.

The undo authentication open command disables the NAC open function.

By default, the NAC open function is disabled on an interface.

Format

In the system view:

authentication open interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

undo authentication open interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

In the interface view:

authentication open

undo authentication open

Parameters

Parameter

Description

Value

interface { interface-type interface-number1 [ to interface-number2 ] }

Specifies the interface type and number.

  • interface-type specifies the interface type.
  • interface-number1 specifies the number of the first interface.
  • interface-number2 specifies the number of the last interface.

-

Views

System view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After a new NAC network is set up, the network administrator should pay attention to the number of potential access users and authentication method but does not need to control user access, because the administrator needs to configure user names, passwords, and authorization information on the authentication server. After 802.1X or MAC address authentication is configured on the access device, only authenticated users can access the network, so the administrator cannot obtain information about the users who do not have user names and passwords on the authentication server.

The NAC open function allows the users who failed in authentication to access the network.

Precautions

  • The NAC open function is only applied to 802.1X and MAC address authentication.

  • The NAC open function is only applied to RADIUS remote authentication.

  • The NAC open function is valid only when the MAC address-based mode is used as the access control mode of the interface. After this function is enabled, users can be added to VLANs except a guest VLAN after they log in.

  • After NAC open is enabled on an interface and fixed user names are used for MAC address authentication, the users on the interface are allowed to access the network even if they have used incorrect user names or passwords.

Example

# Enable the NAC open function on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] authentication open interface gigabitethernet 1/0/1
Related Topics

authentication port-vlan-modify user-online

Function

The authentication port-vlan-modify user-online command enables the function of keeping users online when the port type or VLAN is changed.

The undo authentication port-vlan-modify user-online command restores the default setting.

By default, the function of keeping users online when the port type or VLAN is changed is disabled.

Format

authentication port-vlan-modify user-online

undo authentication port-vlan-modify user-online

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After user access authentication succeeds, you can change the VLAN allowed to access or the access interface type through the RADIUS server. For example, you can assign VLANs to clients through the server for network planning and deployment. After the deployment is complete, to reduce the impact of link faults and device restart on the network and implement rapid network restoration, you can change the user access VLAN to the authorized VLAN. In this case, you can enable the function of keeping users online when the port type or VLAN is changed to modify interface or VLAN configurations.

NOTE:
Only 802.1X authentication and MAC address authentication support this command.

Example

# Enable the function of keeping users online when the port type or VLAN is changed.

<HUAWEI> system-view
[HUAWEI] authentication port-vlan-modify user-online

authentication restrict-vlan

Function

The authentication restrict-vlan command configures a restrict VLAN on an interface.

The undo authentication restrict-vlan command deletes the restrict VLAN from an interface.

By default, no restrict VLAN is configured on an interface.

Format

In the system view:

authentication restrict-vlan vlan-id interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

undo authentication restrict-vlan [ vlan-id ] interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

In the interface view:

authentication restrict-vlan vlan-id

undo authentication restrict-vlan [ vlan-id ]

Parameters

Parameter

Description

Value

vlan-id

Specifies the ID of a restrict VLAN.

The value is an integer that ranges from 1 to 4094.

interface { interface-type interface-number1 [ to interface-number2 ] }

Specifies the interface type and number.

  • interface-type specifies the interface type.
  • interface-number1 specifies the number of the first interface.
  • interface-number2 specifies the number of the last interface.

-

Views

System view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can configure the restrict VLAN on the device interface, so that the users can still access some network resources (for example, update the virus library) when the users fail the authentication. The users who fail the authentication are added to the restrict VLAN to access the resources in the restrict VLAN. Note that, the user fails the authentication because the authentication server rejects the user for some reasons, for example, the user enters an incorrect user password, not because the authentication times out or the network is disconnected.

NOTE:
  • The restrict VLAN is for the users who fail the authentication, while the guest VLAN is for the users who are not authenticated.

  • If only a guest VLAN is configured but no restrict VLAN is configured, the users who fail the authentication are added to the guest VLAN.

Prerequisites

The VLAN to be configured as the restrict VLAN must have been created.

Precautions

  • A super VLAN cannot be configured as a restrict VLAN.
  • When free IP subnets are configured, the restrict VLAN function becomes invalid immediately.
  • The restrict VLAN function takes effect only when a user sends untagged packets to the device.
  • To make the VLAN authorization function take effect, the link type and access control mode of the authentication interface must meet the following requirements:
    • When the link type is hybrid in untagged mode, the access control mode can be based on the MAC address or interface.
    • When the link type is access or trunk, the access control mode can only be based on the interface.

Example

# In the system view, configure 802.1X authentication for the users using Port-based access method on GE1/0/1 and set the restrict VLAN to VLAN 20.

<HUAWEI> system-view
[HUAWEI] vlan batch 20
[HUAWEI] dot1x enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] port link-type hybrid
[HUAWEI-GigabitEthernet1/0/1] quit
[HUAWEI] dot1x enable interface gigabitethernet 1/0/1
[HUAWEI] dot1x port-method port interface gigabitethernet 1/0/1
[HUAWEI] authentication restrict-vlan 20 interface gigabitethernet 1/0/1

authentication speed-limit auto

Function

The authentication speed-limit auto command enables the device to dynamically adjust the rate of packets from NAC users.

The undo authentication speed-limit auto command disables the device from dynamically adjusting the rate of packets from NAC users.

By default, the device does not dynamically adjust the rate of packets from NAC users.

Format

authentication speed-limit auto

undo authentication speed-limit auto

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When a lot of NAC users send authentication or log off requests to the device, the CPU usage may be overloaded especially when the CPU or memory usage is already high (for example, above 80%).

After this command is executed, the device limits the number of NAC packets received per second if the CPU or memory usage is high. This function reduces loads on the device CPU.

Example

# Enable the device to dynamically adjust the rate of packets from NAC users.

<HUAWEI> system-view
[HUAWEI] authentication speed-limit auto

authentication timer re-authen

Function

The authentication timer re-authen command configures the interval for re-authenticating pre-connection users or users who fail to be authenticated.

The undo authentication timer re-authen command restores the default setting.

By default, pre-connection users and users who fail to be authenticated are re-authenticated at an interval of 60 seconds.

Format

authentication timer re-authen { pre-authen re-authen-time | authen-fail re-authen-time }

undo authentication timer re-authen { pre-authen | authen-fail }

Parameters

Parameter Description Value
pre-authen re-authen-time

Specifies the interval for re-authenticating pre-connection users.

The value is an integer that ranges from 0 or 30 to 7200, in seconds.

The value 0 indicates that the re-authentication function is disabled for pre-connection users.

authen-fail re-authen-time

Specifies the interval for re-authenticating users who fail to be authenticated.

The value is an integer that ranges from 30 to 7200, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The device creates the mapping user entries when network access policies are assigned to users who are in the pre-connection phase or fail authentication. To enable users to pass authentication in real time, the device periodically re-authenticates the users who are in the pre-connection phase or fail authentication according to the user entries. The administrator can adjust the re-authentication interval based on the actual network requirements.

Precautions

This command only applies to 802.1X authentication and MAC address authentication.

This function takes effect only for users who go online after this function is successfully configured.

To reduce the impact on the device performance when many users exist, the user re-authentication interval may be longer than the configured re-authentication interval.

Example

# Configures the interval for re-authenticating users who fail to be authenticated to 300 seconds.

<HUAWEI> system-view
[HUAWEI] authentication timer re-authen authen-fail 300

authentication user-alarm percentage

Function

The authentication user-alarm percentage command sets alarm thresholds for the percentage of successfully authenticated NAC users.

The undo authentication user-alarm command restores the default alarm thresholds for the percentage of successfully authenticated NAC users.

By default, the lower alarm threshold for the percentage of successfully authenticated NAC users is 50, and the upper alarm threshold is 100.

Format

authentication user-alarm percentage percent-lower-value percent-upper-value

undo authentication user-alarm

Parameters

Parameter Description Value
percent-lower-value

Specifies the lower alarm threshold for the percentage of successfully authenticated NAC users.

The value is an integer in the range from 1 to 100.

percent-upper-value

Specifies the upper alarm threshold for the percentage of successfully authenticated NAC users.

The value is an integer in the range from 1 to 100, and must be greater than or equal to the lower alarm threshold.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When the number of successfully authenticated NAC users reaches a specified percentage, the device generates an alarm. You can run the authentication user-alarm percentage command to set the upper and lower alarm thresholds for this percentage.

When the percentage of successfully authenticated NAC users against the maximum number of users allowed by the device is greater than or equal to the upper alarm threshold, the device generates an alarm. When this percentage reaches or falls below the lower alarm threshold, the device generates a clear alarm.

Example

# Set the lower and upper alarm thresholds for the percentage of successfully authenticated NAC users to 30 and 80, respectively.

<HUAWEI> system-view
[HUAWEI] authentication user-alarm percentage 30 80

band-width share-mode

Function

The band-width share-mode command enable the bandwidth share mode.

The undo band-width share-mode command restores the default configuration.

By default, the bandwidth share mode is disabled.

Format

band-width share-mode

undo band-width share-mode

Parameters

None

Views

System view, AAA domain view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

On a home network, all family members go online using the same account. To improve service experience of family members, you can enable the bandwidth share mode so that all members can share the bandwidth.

Precautions

  • If several users are connected through Eth-Trunk member interfaces that reside on the same LPU, these users share the bandwidth of the LPU. If users are connected through Eth-Trunk member interfaces that reside on different LPUs, the rate of each user's traffic depends on the CAR value of the corresponding LPU.
  • If this command is run in the system view, it takes effect for all new online users who connected to the device. If this command is run in the AAA domain view, it takes effect only for new online users in the domain.
  • If the local or remote RADIUS server does not assign CAR settings to the users who will go online and the online users, the share mode is invalid to the users.

  • If the bandwidth share mode is enabled and different users use the same account for authentication, the users going online with no CAR settings assigned will not be affected when CAR settings are assigned to the users who go online later.

Example

# Enable the bandwidth share mode in the system view.

<HUAWEI> system-view
[HUAWEI] band-width share-mode

# Enable the bandwidth share mode in the AAA domain view.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain huawei
[HUAWEI-aaa-domain-huawei] band-width share-mode

car (user group view)

Function

The car command enables traffic control for users in a user group.

The undo car command disables traffic control for users in a user group.

By default, traffic control is disabled for users in a user group.

Format

car { outbound | inbound } cir cir-value [ pir pir-value | cbs cbs-value | pbs pbs-value ] *

undo car { outbound | inbound }

Parameters

Parameter Description Value
outbound

Applies the user group CAR to the outgoing packets on an interface to restrict the outgoing packet rate.

-

inbound

Applies the user group CAR to the incoming packets on an interface to restrict the incoming packet rate.

-

cir cir-value

Specifies the committed information rate (CIR), which is the average rate of traffic that can pass through an interface.

The value is an integer that ranges from 64 to 4294967295, in kbit/s.

pir pir-value

Specifies the peak information rate (PIR), which is the maximum rate of traffic that can pass through an interface.

The value is an integer that ranges from 64 to 4294967295, in kbit/s.

The PIR value must be greater than or equal to the CIR value. The default PIR value is equal to the CIR value.

cbs cbs-value

Specifies the committed burst size (CBS), which is the average volume of burst traffic that can pass through an interface.

The value is an integer that ranges from 10000 to 4294967295, in bytes.

The default value of cbs-value is 188 x cir-value.

pbs pbs-value

Specifies the peak burst size (PBS), which is the maximum volume of burst traffic that can pass through an interface.

The value is an integer that ranges from 10000 to 4294967295, in bytes.

The value of pbs-value must be larger than that of cbs-value and is equal to 188 times of the value of pir-value by default.

Views

User group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After user groups are created using the user-group command, you can run the car outbound command to configure traffic control for users in a user group so that users in different groups are allocated different bandwidths.

Precautions

  • The car command takes effect on each user in a user group.

  • This function takes effect only for users who go online after this function is successfully configured.

When users that connected to the device through an Eth-Trunk go online through Portal authentication, only the X series cards can provide traffic policing for the users.

Example

# Set the CIR to 10000 Kbit/s and the CBS to 50000 bytes for outgoing packets of users in a user group.

<HUAWEI> system-view
[HUAWEI] user-group huawei
[HUAWEI-user-group-huawei] car outbound cir 10000 cbs 50000

cut access-user

Function

The cut access-user command forces users offline.

Format

cut access-user open

cut access-user user-group group-name

Parameters

Parameter

Description

Value

open

Forces open users offline.

-

user-group group-name

Specifies the user group based on which the users are forced offline.

The value must be an existing user group name.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

After a user goes online, if you want to modify the user's network access rights or detect that the user is unauthorized, run this command to force the user offline.

Example

# Force open users offline.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] cut access-user open
Related Topics

display aaa statistics access-type-authenreq

Function

The display aaa statistics access-type-authenreq command displays the number of requests for MAC, Portal, or 802.1X authentication.

Format

display aaa statistics access-type-authenreq

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

When users send authentication requests, the device collects statistics on the number of initiating MAC, Portal, or 802.1X authentications.

To view the number of requests for MAC, Portal, or 802.1X authentication, run the display aaa statistics access-type-authenreq command.

Example

# Display the number of requests for MAC, Portal, or 802.1X authentication.

<HUAWEI> display aaa statistics access-type-authenreq
mac     authentication request     :2
portal  authentication request     :0
dot1x   authentication request     :0
Table 13-86  Description of the display aaa statistics access-type-authenreq command output

Item

Description

mac authentication request

Number of MAC authentication requests.

portal authentication request

Number of Portal authentication requests.

dot1x authentication request

Number of 802.1X authentication requests.

display authentication mode

Function

The display authentication mode command displays the current NAC configuration mode and the mode after restart.

Format

display authentication mode

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display authentication mode command to view the current NAC configuration mode.

Example

# Display the current NAC configuration mode and the mode after restart.
<HUAWEI> display authentication mode
  Current authentication mode is unified-mode                               
  Next authentication mode is unified-mode  
Table 13-87  Description of the display authentication mode command output

Item

Description

Current authentication mode is unified-mode Current NAC configuration mode.
Next authentication mode is unified-mode NAC configuration mode after the device restarts.

Run the authentication unified-mode command to switch the NAC mode to unified mode.

Run the undo authentication unified-mode command to switch the NAC mode to common mode.

display access-user

Function

The display access-user command displays information about online NAC users.

Format

display access-user open

display access-user option82 { circuit-id text | remote-id text }

display access-user user-group group-name [ detail ]

Parameters

Parameter

Description

Value

open

Displays open user information.

-

option82

Displays information about MAC address authentication users who use the Option 82 field as user names.

-

circuit-id text

Displays information about MAC address authentication users who specify the circuit ID as user names.

The value must be existing circuit-id information.

remote-id text

Displays information about MAC address authentication users who specify the remote ID as user names.

The value must be existing remote-id information.

user-group group-name

Displays information about users in a specified user group.

The value must be an existing user group index.

detail

Displays detailed information about users.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to check information about online NAC users.

Example

# Display open user information.

<HUAWEI> display access-user open 
-------------------------------------------------------------------------------
 UserID Username                IP address         MAC             Status 
 ------------------------------------------------------------------------------
 16016  1@radius                10.8.7.5           0011-0904-2f61  Success 
 ------------------------------------------------------------------------------
 Total: 1, printed: 1, Open: 1, printed: 1
NOTE:

Only letters, digits, and special characters can be displayed for username.

When the value of username contains special characters or characters in other languages except English, the device displays dots (.) for these characters. If there are more than three such consecutive characters, three dots (.) are displayed. Here, the special characters are the ASCII codes smaller than 32 (space) or larger than 126 (~).

When the value of username is longer than 20 characters, the device displays up to three dots (.) for the characters following 19; that is, only 22 characters are displayed.

Table 13-88  Description of the display access-user command output

Item

Description

UserID ID that is assigned to a user after the user goes online.
Username User name.
IP address User IP address.
MAC User MAC address.
Status

User access status.

  • Open: For wired users, the user goes online through the open function upon authentication failure. For wireless users, no authentication is performed.
  • Success: authentication is successful
  • Pre-authen: pre-authentication
  • Client-no-resp: the client does not respond
  • Fail-authorized: authorization upon authentication failure
  • Web-server-down: web server is Down
  • Aaa-server-down: AAA server is Down

display access-user dot1x-identity statistics

Function

The display access-user dot1x-identity statistics command displays statistics about Identity packets for 802.1X authentication on a switch.

Format

display access-user dot1x-identity statistics

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

You can run this command to view the statistics about Identity packets for 802.1X authentication on a switch.

Example

# Display statistics about Identity packets for 802.1X authentication on the switch.

<HUAWEI> display access-user dot1x-identity statistics
Process:5
-----------------------------------------------------------------------
Receive(Packet)    Pass(Packet)    Drop(Packet)    Last-dropping-time  
-----------------------------------------------------------------------
0                  0               0               -                   
-----------------------------------------------------------------------
...
Table 13-89  Description of the display access-user dot1x-identity statistics command output
Item Description
Process Id of the process for processing Identity packets for 802.1X authentication.
Receive(Packet) Total number of Identity packets for 802.1X authentication received by the switch.
Pass(Packet) Number of Identity packets for 802.1X authentication sent to and processed by the CPU of the switch.
Drop(Packet) Number of Identity packets for 802.1X authentication discarded by the switch.
Last-dropping-time Latest time when the switch discarded Identity packets for 802.1X authentication. If no packet loss record exists on the switch, this field displays -.

display authentication mac-move configuration

Function

The display authentication mac-move configuration command displays the MAC address migration configuration.

Format

display authentication mac-move configuration

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display authentication mac-move configuration command to view the MAC address migration configuration. The configuration includes the number of times that MAC address migration users are allowed to migrate their MAC addresses 60s before they enter the quiet state, the period that MAC address migration users stay in the quiet state, the interval at which a device detects users' online status before user MAC address migration, and the number of detections before user MAC address migration.

Example

# Display the MAC address migration configuration.

<HUAWEI> display authentication mac-move configuration
Mac-move vlan config:all                                                                                                            
Mac-move quiet times:1                                                                                                              
Mac-move quiet period(s):120                                                                                                        
Mac-move quiet log:ENABLE                                                                                                           
Mac-move quiet user alarm:ENABLE                                                                                                    
Mac-move quiet user alarm lower percentage(%):50                                                                                    
Mac-move quiet user alarm upper percentage(%):100
Mac-move detect:DISABLE                                                         
Mac-move detect retry-interval(s):3                                             
Mac-move detect retry-time:1 
Table 13-90  Description of the display authentication mac-move configuration command output

Item

Description

Mac-move vlan config

VLAN ID range in which MAC address migration is enabled.

For details, see the authentication mac-move enable command.

Mac-move quiet times

Number of times that MAC address migration users are allowed to migrate their MAC addresses 60s before they enter the quiet state.

For details, see the authentication mac-move quiet-times quiet-period command.

Mac-move quiet period(s)

Period that MAC address migration users stay in the quiet state.

For details, see the authentication mac-move quiet-times quiet-period command.

Mac-move quiet log
Whether a device is enabled to record logs about user quietness triggered by MAC address migration:
  • ENABLE
  • DISABLE

For details, see the authentication mac-move quiet-log enable command.

Mac-move quiet user alarm
Whether a device is enabled to send alarms about user quietness triggered by MAC address migration:
  • ENABLE
  • DISABLE

For details, see the authentication mac-move quiet-user-alarm enable command.

Mac-move quiet user alarm lower percentage(%)

Lower alarm threshold for the percentage of MAC address migration users in quiet state.

For details, see the authentication mac-move quiet-user-alarm percentage command.

Mac-move quiet user alarm upper percentage(%)

Upper alarm threshold for the percentage of MAC address migration users in quiet state.

For details, see the authentication mac-move quiet-user-alarm percentage command.

Mac-move detect
Whether a device is enabled to detect users' online status before user MAC address migration:
  • ENABLE
  • DISABLE

For details, see the authentication mac-move detect enable command.

Mac-move detect retry-interval(s)

Interval at which a device detects users' online status before user MAC address migration.

For details, see the authentication mac-move detect retry-interval retry-time command.

Mac-move detect retry-time

Number of detections before user MAC address migration.

For details, see the authentication mac-move detect retry-interval retry-time command.

display authentication mac-move quiet-user

Function

The display authentication mac-move quiet-user command displays information about MAC address migration users in quiet state.

Format

display authentication mac-move quiet-user { all | mac-address mac-address }

Parameters

Parameter

Description

Value

all

Displays information about all MAC address migration users in quiet state.

-

mac-address mac-address

Displays information about MAC address migration users in quiet state with a specified MAC address.

The value is in the H-H-H format. An H contains 1 to 4 hexadecimal digits.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Run this command to view information about MAC address migration users in quiet state.

Example

# Display information about all MAC address migration users in quiet state.

<HUAWEI> display authentication mac-move quiet-user all
Quiet MAC Information
-------------------------------------------------------------------------------
Quiet MAC                                                 Quiet Remain Time(Sec)
-------------------------------------------------------------------------------
0001-0002-0003                                            143
-------------------------------------------------------------------------------
1 quiet MAC found, 1 printed. 
Table 13-91  Description of the display authentication mac-move quiet-user all command output

Item

Description

Quiet MAC

MAC address of MAC address migration users in quiet state.

Quiet Remain Time(Sec)

Remaining quiet time of MAC address migration users in quiet state, in seconds.

display authentication user-alarm configuration

Function

The display authentication user-alarm configuration command displays alarm thresholds for the percentage of successfully authenticated NAC users.

Format

display authentication user-alarm configuration

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to view the alarm thresholds for the percentage of successfully authenticated NAC users.

Example

# Display the alarm thresholds for the percentage of successfully authenticated NAC users.

<HUAWEI> display authentication user-alarm configuration
  Current Alarm Percent:100                                                     
  Current Alarm Resume Percent:60 
Table 13-92  Description of the display authentication user-alarm configuration command output

Item

Description

Current Alarm Percent Upper alarm threshold for the percentage of successfully authenticated NAC users.
Current Alarm Resume Percent Lower alarm threshold for the percentage of successfully authenticated NAC users.

display dot1x

Function

The display dot1x command displays 802.1X authentication information.

Format

display dot1x statistics

display dot1x [ interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> ]

Parameters

Parameter

Description

Value

statistics

Displays statistics on 802.1X authentication.

The statistics about 802.1X authentication is displayed only when this parameter is specified.

-

interface { interface-type interface-number1 [ to interface-number2 ] }

Displays 802.1X authentication information on a specified interface.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

802.1X authentication information on all device interfaces is displayed if this parameter is not specified.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

You can run the display dot1x command to view configuration results of all configuration commands in 802.1X authentication and statistics about 802.1X packets.

The command output helps you to check whether the current 802.1X authentication configuration is correct and isolate faults accordingly.

Follow-up Procedure

The display dot1x command displays the statistics on 802.1X packets. You can locate the fault according to the packet statistics. When the fault is rectified, run the reset dot1x statistics command to clear the packet statistics. After a period of time, run the display dot1x command again to check the packet statistics. If no error packet is found, the fault is rectified.

Example

# Display 802.1X authentication information.

<HUAWEI> display dot1x
  Global 802.1x is Enabled
  Authentication method is CHAP
  Max users: 65536
  Current users: 1
  DHCP-trigger is Disabled
  Handshake is Enabled
  Quiet function is Enabled
  Mc-trigger port-up-send is Disabled
  Parameter set:Dot1x Handshake Period        16s   Reauthen Period     60s
                Arp Handshake Period           0s   Client Timeout      10s
                Quiet Period                 600s   Quiet-times          2
                Eth-Trunk Handshake Period   120s   Tx Period           30
                Mac-By-Pass Delay             30s
  Dot1x URL: www.123.com.cn
  Free-ip configuration(IP/mask):
   192.168.1.0     /255.255.255.0

 GigabitEthernet1/0/3 status: UP  802.1x protocol is Enabled
  Port control type is Auto
  Authentication mode is MAC-based
  Authentication method is CHAP
  Reauthentication is disabled
  Dot1x retry times: 2
  Authenticating users: 1
  Current users: 1

  Authentication Success: 1          Failure: 0
  Enter Enquence        : 0
  EAPOL Packets: TX     : 19         RX     : 0
  Sent      EAPOL Request/Identity Packets       : 1
            EAPOL Request/Challenge Packets      : 0
            Multicast Trigger Packets            : 18
            EAPOL Success Packets                : 0
            EAPOL Failure Packets                : 0
  Received  EAPOL Start Packets                  : 0
            EAPOL Logoff Packets                 : 0
            EAPOL Response/Identity Packets      : 0
            EAPOL Response/Challenge Packets     : 0

 Online user(s) info:
 UserId   MAC/VLAN            AccessTime              UserName
 ------------------------------------------------------------------------------
 17487    000c-2952-fd80/34   2018/07/30 09:49:15     lss
 ------------------------------------------------------------------------------
 Total: 1, printed: 1                                                           
# Display 802.1X statistics.
<HUAWEI> display dot1x statistics
  Dropped   EAPOL Access Flow Control       : 0
            EAPOL Check Sysmac Error        : 0
            EAPOL Get Vlan ID Error         : 0
            EAPOL Packet Flow Control       : 0
            EAPOL Online User Reach Max     : 0
            EAPOL Static or BlackHole Mac   : 0
            EAPOL Get Vlan Mac Error        : 0
            EAPOL Temp User Exist           : 0
            EAPOL no replace dot1x          : 0  

  DHCP      Enter Enqueue                        : 0
            Processed Packet                     : 0
            Dropped Packet                       : 0

  ARP       Enter Enqueue                        : 0
            Processed Packet                     : 0
            Dropped Packet                       : 0

  ND        Enter Enqueue                        : 0
            Processed Packet                     : 0
            Dropped Packet                       : 0

  DHCPv6    Enter Enqueue                        : 0
            Processed Packet                     : 0
            Dropped Packet                       : 0

  Sent      Authentication Request               : 0
            Cut Request                          : 0
            Cut Command Ack                      : 0
            Authentication Ack Fail Aff          : 0
            Update Ip                            : 0
            Wlan Eap Authentication Request      : 0
            Wlan Eap Authentication Request Ack  : 0
            Wlan Eap Send Pmk                    : 0
            Wlan Eap Reauthenticate Send Pmk     : 0
            Update User Online Time              : 0

  Received  Authentication Ack                   : 0
            Reauthenticate Command               : 0
            Cut Command                          : 0
            Cut Ack                              : 0
            Sam Nac Ack                          : 0
            Notify Server Up                     : 0
            Wlan Eap Authentication Request      : 0
            Wlan Mac Authentication Request      : 0
            Notify Vlanif Mac Authentication     : 0
Table 13-93  Description of the display dot1x command output

Item

Description

Global 802.1x is Enabled

802.1X authentication is enabled globally.

To enable 802.1X authentication, run the dot1x enable command.

Authentication method is CHAP

CHAP authentication is enabled. The authentication methods include EAP, CHAP, and PAP

To enable CHAP authentication, run the dot1x authentication-method command.

Max users

Maximum number of global online users, the value varies according to device models.

To set the maximum number of global online users, run the dot1x max-user command.

Current users

Number of current online users.

DHCP-trigger is Disabled

Authentication triggering through DHCP packets is disabled.

To trigger authentication using DHCP packets, run the dot1x dhcp-trigger command.

Handshake is Enabled

The handshake function is enabled for online users.

To enable the handshake function, run the dot1x handshake command.

Quiet function is Disabled

The quiet function is disabled for users.

To enable the quiet function function, run the dot1x quiet-period command.

Mc-trigger port-up-send is Disabled

The function of triggering 802.1X authentication through multicast packets immediately after an interface goes Up is disabled.

To configure the function, run the dot1x mc-trigger port-up-send enable command.

Parameter set

Settings of 802.1X authentication parameters.

Dot1x Handshake Period

Handshake interval between the device and 802.1X authentication client connected to a non-Eth-Trunk interface.

To set the handshake interval, run the dot1x timer command.

Reauthen Period

Re-authentication interval.

To set the re-authentication interval, run the dot1x timer command.

Arp Handshake Period

Handshake interval of the device with pre-connection users and authorized users.

Client Timeout

Timeout interval of a client.

To set the timeout interval of a client, run the dot1x timer command.

Quiet Period

Value of the quiet timer.

To set the value of the quiet timer, run the dot1x timer command.

Quiet-times

Maximum number of authentication failures before an 802.1X user enters the quiet state.

To set the maximum number of authentication failures, run the dot1x quiet-times command.

Eth-Trunk Handshake Period

Handshake interval between the device and 802.1X authentication client connected to an Eth-Trunk.

To set the handshake interval, run the dot1x timer command.

Tx Period

The interval for sending authentication requests.

To set the timeout interval of a client, run the dot1x timer command.

Mac-By-Pass Delay

The value of the delay timer for MAC address bypass authentication.

To set the timeout interval of a client, run the dot1x timer command.

Dot1x URL

Redirect-to URL.

To set the redirect-to URL, run the dot1x url command.

Free-ip configuration(IP/mask)

Free IP subnet.

To set the free IP subnet, run the dot1x free-ip command.

GigabitEthernet1/0/1 state

State of an interface.

  • UP: The interface is started.
  • DOWN: The interface is shut down.

802.1x protocol is Enabled[mac-bypass]

802.1X authentication is enabled on the interface. To enable 802.1X authentication, run the dot1x enable command.

To configure MAC address bypass authentication, run the dot1x mac-bypass command. If MAC address bypass authentication is configured, [mac-bypass] is displayed.

Port control type is Auto

The control mode on the interface is auto for 802.1X authentication user access. The access control modes include auto, authorized-force, and unauthorized-force.

To set the control mode, run the dot1x port-control command.

Authentication mode is MAC-based

The MAC address-based authentication method is used on the interface.

To set the authentication method on the interface, run the dot1x port-method command.

Reauthentication is disabled

802.1x user re-authentication is disabled on the interface.

To enable 802.1X user re-authentication, run the dot1x reauthenticate command.

Dot1x retry times

Maximum number of times an authentication request is sent to an 802.1X user.

To set the maximum number of times an authentication request is sent to an 802.1X user, run the dot1x retry command.

Authenticating users

Number of users who are being authenticated.

Current users

Number of current online users on the interface.

Authentication Success

Number of successful authentications.

The statistics include statistics on online 802.1X users but not on the users using MAC address bypass authentication.

Failure

Number of failed authentications.

The statistics include statistics on online 802.1X users but not on the users using MAC address bypass authentication.

Enter Enquence

Number of packets entering the queue.

EAPOL Packets

Number of globally EAPOL packets.

  • TX: Number of sent EAPOL packets.
  • RX: Number of received EAPOL packets.

Sent

Statistics of sent packet.

EAPOL Request/Identity Packets

Number of globally EAPOL Request/Identity packets.

EAPOL Request/Challenge Packets

Number of globally EAPOL Request/Challenge packets.

Multicast Trigger Packets

Number of multicast packets that trigger authentication.

EAPOL Success Packets

Number of globally EAPOL Success packets.

EAPOL Failure Packets

Number of globally EAPOL Failure packets.

Received

Statistics of received packet.

EAPOL Start Packets

Number of globally EAPOL Start packets.

EAPOL Logoff Packets

Number of globally EAPOL LogOff packets.

EAPOL Response/Identity Packets

Number of globally EAPOL Response/Identity packets.

EAPOL Response/Challenge Packets

Number of globally EAPOL Response/Challenge packets.

Online user(s) info Online user information:
  • UserId: User ID.
  • MAC/VLAN: MAC address/VLAN ID.
  • AccessTime: Access time.
  • UserName: User name.
  • Total: Total number of online users.
  • printed: Number of displayed online users.
Dropped
Number of discarded EAP packets.
  • EAPOL Access Flow Control: number of packets that are discarded because the user access rate is exceeded.
  • EAPOL Check Sysmac Error: number of packets that are discarded because the device MAC address is incorrect.
  • EAPOL Get Vlan ID Error: number of packets that are discarded because the obtained VLAN ID is incorrect.
  • EAPOL Packet Flow Control: number of packets that are discarded because the packet access rate is exceeded.
  • EAPOL Online User Reach Max: number of packets that are discarded because the number of online users reaches the maximum.
  • EAPOL Static or BlackHole Mac: number of packets that are discarded because the packet MAC address is a static MAC address or blackhole MAC address.
  • EAPOL Get Vlan Mac Error: number of packets that are discarded because the obtained VLAN MAC address is incorrect.
  • EAPOL Temp User Exist: number of packets that are discarded because the temporary user exists.
  • EAPOL no replace dot1x: number of EAP Start packets that are discarded due to 802.1X authentication of successfully authenticated MAC or Portal users.
DHCP DHCP packet statistics.
ARP ARP packet statistics.
ND ND packet statistics.
DHCPv6 DHCPv6 packet statistics.
Processed Packet Number of processed packets.
Dropped Packet Number of discarded packets.
Authentication Request Number of authentication request messages.
Cut Request Number of logout request messages.
Cut Command Ack Number of acknowledgment messages to logout command request messages.
Authentication Ack Fail Aff Number of the user is disconnected after the wireless user authentication fails.
Update Ip Number of IP address update messages.
Wlan Eap Authentication Request Number of EAP authentication request messages initiated by the WLAN module.
Wlan Eap Authentication Request Ack Number of acknowledgment messages to EAP authentication request messages initiated by the WLAN module.
Wlan Eap Send Pmk Number of PMK messages sent when the WLAN module performs EAP authentication.
Wlan Eap Reauthenticate Send Pmk Number of PMK messages sent when the WLAN module performs EAP re-authentication.
Update User Online Time Number of the user online time is updated.
Authentication Ack Number of authentication acknowledgment messages.
Reauthenticate Command Number of re-authentication messages.
Cut Command Number of logout command request messages.
Cut Ack Number of acknowledgment messages to logout request messages.
Sam Nac Ack Number of EAP messages replied by the SAM module.
Notify Server Up Number of RADIUS server Up messages.
Wlan Mac Authentication Request Number of MAC authentication request messages initiated by the WLAN module.
Notify Vlanif Mac Authentication Number of MAC authentication request messages of a VLANIF interface.

display dot1x quiet-user

Function

The display dot1x quiet-user command displays information about 802.1X authentication users who are quieted.

Format

display dot1x quiet-user { all | mac-address mac-address }

Parameters

Parameter

Description

Value

all

Displays information about all 802.1X authentication users who are quieted.

-

mac-address mac-address

Displays information about a quiet 802.1X authentication user with a specified MAC address.

The value is in H-H-H format. Each H is a hexadecimal number of 1 to 4 digits.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to view information about 802.1X authentication users who are quieted.

Example

# Display information about all 802.1X authentication users who are quieted.

<HUAWEI> display dot1x quiet-user all
-------------------------------------------------------------------------------
MacAddress                                                Quiet Remain Time(Sec)
-------------------------------------------------------------------------------
0001-0002-0003                                            50
-------------------------------------------------------------------------------
1 silent mac address(es) found, 1 printed. 
Table 13-94  Description of the display dot1x quiet-user all command output

Item

Description

MacAddress

MAC address of an 802.1X authentication user who is quieted.

Quiet Remain Time(Sec)

Remaining quiet time of an 802.1X authentication user who is quieted, in seconds.

display mac-address authen

Function

The display mac-address authen command displays the current authen MAC address entries in the system.

Format

display mac-address authen [ interface-type interface-number | vlan vlan-id ] * [ verbose ]

Parameters

Parameter Description Value
vlan vlan-id

Displays MAC address entries in a specified VLAN.

If no VLAN is specified, MAC address entries in all VLANs of the device are displayed.

The value is an integer that ranges from 1 to 4094.
interface-type interface-number

Displays MAC address entries on a specified interface.

If no interface is specified, MAC address entries on all interfaces of the device are displayed.

-

verbose

Displays detailed information about MAC address entries.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The authen MAC address entries are generated for pre-connection users or after users pass authentication. The administrator can run this command to check the existing authen or guest MAC address entries on the device. The administrator can check information about user access based on these MAC address entries to locate user access faults.

Precautions

If there are a lot of authen MAC address entries, you can specify a VLAN or use a pipe operator (|) to filter the output information. Otherwise, the following problems may occur due to excessive output information:
  • The displayed information is refreshed repeatedly on the terminal screen and the administrator cannot obtain the required information.

  • The device traverses and retrieves information for a long time, and does not respond to any request.

Example

# Display all authen MAC address entries in the system.

<HUAWEI> display mac-address authen
-------------------------------------------------------------------------------  
MAC Address    VLAN/VSI/BD                          Learned-From        Type        
-------------------------------------------------------------------------------
0000-0000-0100 3000/-/-                              GE1/0/1            authen
0000-0000-0400 3000/-/-                              GE1/0/1            authen
0000-0000-0200 3000/-/-                              GE1/0/1            authen
-------------------------------------------------------------------------------  
Total items displayed = 3                     
Table 13-95  Description of the display mac-address authen command output

Item

Description

MAC Address

MAC address of a user to be authenticated.

VLAN/VSI/BD

VLAN/VSI/BD that the outbound interface belongs to.

Learned-From

Interface on which a MAC address is learned.

Type

Type of MAC addresses.

Total items displayed

Total number of MAC address entries that match the filter condition.

display mac-address pre-authen

Function

The display mac-address pre-authen command displays the current pre-authen MAC address entries in the system.

Format

display mac-address pre-authen [ interface-type interface-number | vlan vlan-id ] * [ verbose ]

Parameters

Parameter Description Value
vlan vlan-id

Displays MAC address entries in a specified VLAN.

If no VLAN is specified, MAC address entries in all VLANs of the device are displayed.

The value is an integer that ranges from 1 to 4094.
interface-type interface-number

Displays MAC address entries on a specified interface.

If no interface is specified, MAC address entries on all interfaces of the device are displayed.

-

verbose

Displays detailed information about MAC address entries.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

You can run this command to check the existing MAC address entries of the pre-connection type to obtain access information about pre-connection users and locate faults.

Precautions

If there are a lot of pre-authen MAC address entries, you can specify a VLAN or use a pipe operator (|) to filter the output information. Otherwise, the following problems may occur due to excessive output information:
  • The displayed information is refreshed repeatedly on the terminal screen and the administrator cannot obtain the required information.

  • The device traverses and retrieves information for a long time, and does not respond to any request.

Example

# Display all pre-authen MAC address entries in the system.

<HUAWEI> display mac-address pre-authen
-------------------------------------------------------------------------------  
MAC Address    VLAN/VSI/BD                          Learned-From        Type        
-------------------------------------------------------------------------------
0000-0000-0100 3000/-/-                              GE1/0/1            pre-authen
0000-0000-0400 3000/-/-                              GE1/0/1            pre-authen
0000-0000-0200 3000/-/-                              GE1/0/1            pre-authen
-------------------------------------------------------------------------------  
Total items displayed = 3                     
Table 13-96  Description of the display mac-address pre-authen command output

Item

Description

MAC Address

/BD

MAC address of a user to be authenticated.

VLAN/VSI

VLAN/VSI/BD that the outbound interface belongs to.

Learned-From

Interface on which a MAC address is learned.

Type

Type of a MAC address entry.

Total items displayed

Total number of MAC address entries that match the filter condition.

display mac-authen

Function

The display mac-authen command displays information about MAC address authentication.

Format

display mac-authen [ interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> | configuration ]

Parameters

Parameter

Description

Value

interface { interface-type interface-number1 [ to interface-number2 ] }

Displays information about MAC address authentication on a specified interface.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

MAC address authentication information on all device interfaces is displayed if this parameter is not specified.

-

configuration

Displays the global information about MAC address authentication.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

You can run the display mac-authen command to view configuration results of all configuration commands in MAC address authentication. The command output helps you to check whether the MAC address authentication configuration is correct and isolate faults accordingly.

Follow-up Procedure

You can locate the fault according to the packet statistics that is displayed using the display mac-authen command. When the fault is rectified, run the reset mac-authen statistics command to clear the packet statistics. After a period of time, run the display mac-authen command again to check the packet statistics. If no error packet is found, the fault is rectified.

Example

# View all information about MAC address authentication.

<HUAWEI> display mac-authen
  MAC address authentication is Enabled.
  Username format: use MAC address without-hyphen as username
  Quiet period is 60s                                                     
  Authentication fail times before quiet is 1
  Offline detect period is 300s                                           
  Reauthenticate period is 1000s
  Guest user reauthenticate period is 60s                          
  Maximum users: 100
  Current users: 1                                                
  Global domain is not configured                                        
  Trigger condition: dhcp arp dhcpv6 nd     
                                                                                
 GigabitEthernet1/0/1 state : UP. MAC address authentication is enabled                                        
  Reauthentication is enabled                                                   
  Reauthen Period: 1000s                                                        
  Maximum users: 100                                                           
  Current users: 1                                                              
  Authentication Success: 0, Failure: 0                                         
                                                                                
 Online user(s) info:                                                           
 UserId   MAC/VLAN            AccessTime              UserName                  
 ------------------------------------------------------------------------------ 
 16016    5489-9801-583d/2003 2014/01/26 09:22:49     wlan                      
 ------------------------------------------------------------------------------ 
 Total 1,1 printed   
Table 13-97  Description of the display mac-authen command output

Item

Description

Mac address authentication is Enabled

MAC address authentication is enabled. To enable MAC address authentication, run the mac-authen command.

Username format

User name format for MAC address authentication.

  • use MAC address without-hyphen as username: A user name is a MAC address that does not contain hyphens (-), for example, 0005e01c02e3.
  • use MAC address with-hyphen as username: A user name is a MAC address that contains hyphens (-) and the hyphens are inserted between every four digits, for example, 0005-e01c-02e3.
  • use MAC address with-hyphen normal as username: A user name is a MAC address that contains hyphens (-) and the hyphens are inserted between every two digits, for example, 00-05-e0-1c-02-e3.
  • use MAC address without-hyphen upper as username: A user name is a MAC address in the uppercase format that does not contain hyphens (-), for example, 0005E01C02E3.
  • use MAC address with-hyphen upper as username: A user name is a MAC address in the uppercase format that contains hyphens (-) and the hyphens are inserted between every four digits, for example, 0005-E01C-02E3.
  • use MAC address with-hyphen normal upper as username: A user name is a MAC address in the uppercase format that contains hyphens (-) and the hyphens are inserted between every two digits, for example, 00-05-E0-1C-02-E3.
  • use MAC address with-hyphen colon as username: A user name is a MAC address that contains colons (:) and the colons are inserted between every four digits, for example, 0005:e01c:02e3.
  • use MAC address with-hyphen normal colon as username: A user name is a MAC address that contains colons (:) and the colons are inserted between every two digits, for example, 00:05:e0:1c:02:e3.
  • use MAC address with-hyphen colon upper as username: A user name is a MAC address in the uppercase format that contains colons (:) and the colons are inserted between every four digits, for example, 0005:E01C:02E3.
  • use MAC address with-hyphen normal colon upper as username: A user name is a MAC address in the uppercase format that contains colons (:) and the colons are inserted between every two digits, for example, 00:05:E0:1C:02:E3.
  • fixed username: The user name is fixed.
  • use option82 as username: The content of the Option 82 field is used as the user name.
  • not configured: The user name format is not configured.

To configure a user name, run the mac-authen username command.

Quiet period

Quiet timer value, during which the user waits for re-authentication after the maximum number of authentication failures is exceeded. The default value of the quiet timer is 60 seconds.

To set the quiet period, run the mac-authen timer command.

Authentication fail times before quiet

Maximum number of authentication failures before a MAC address authentication user enters the quiet state.

Offline detect period

Interval for detecting online users. The timer is used to periodically check whether a user is offline. The default interval is 300 seconds.

To set the interval for detecting online users, run the mac-authen timer command.

Reauthenticate period is 1000s

Interval at which users are re-authenticated. The default interval is 1800 seconds.

To set the re-authentication period, run the mac-authen timer command.

Guest user reauthenticate period is 60s

Interval at which users in a guest VLAN are re-authenticated. The default interval is 60 seconds.

To set the guest VLAN user re-authentication period, run the mac-authen timer command.

Maximum users

Maximum number of online users allowed by the device, the value varies according to devices.

To set the maximum number of MAC address authentication users on an interface, run the mac-authen max-user command.

Current users

Number of current online users.

Global domain

Current authentication domain. By default, no authentication domain is specified for users. If you do not specify any domain for users, the default domain in the system is used.

To configure an authentication domain, run the mac-authen domain command.

Trigger condition

Packet type that can trigger MAC address authentication.

To configure the packet type, run the mac-authen trigger command.

GigabitEthernet1/0/1 current state

Interface state.

  • UP: The interface is started.
  • DOWN: The interface is shut down.

MAC address authentication is Enabled

MAC address authentication is enabled on the interface. To enable MAC address authentication, run the mac-authen command.

Reauthentication is enabled

MAC address reauthentication is enabled. To enable the MAC address reauthentication, run the mac-authen reauthenticate command.

Reauthen Period

Interval at which users are re-authenticated. The default interval is 1800 seconds. To set the re-authentication period, run the mac-authen timer reauthenticate-period command.

Maximum users

Maximum number of MAC address authentication users on the interface.

To set the maximum number of MAC address authentication users on an interface, run the mac-authen max-user command.

Current users

Number of current online users on the interface.

Authentication Success: 0, Failure: 0

Numbers of successful and failed authentications on the interface.

UserId

ID of an online user.

MAC/VLAN

MAC address and VLAN of a user.
NOTE:

If the AAA server delivers an authorized VLAN, information about the authorized VLAN is displayed.

AccessTime

Access time of a user.

UserName

Name of a user.

display mac-authen quiet-user

Function

The display mac-authen quiet-user command displays information about MAC address authentication users who are quieted.

Format

display mac-authen quiet-user { all | mac-address mac-address }

Parameters

Parameter

Description

Value

all

Displays information about all MAC address authentication users who are quieted.

-

mac-address mac-address

Displays information about a specified MAC address authentication user who is quieted.

The value is in the H-H-H format. Each H is a hexadecimal number of 1 to 4 digits.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to view information about MAC address authentication users who are quieted.

Example

# Display information about all MAC address authentication users who are quieted.

<HUAWEI> display mac-authen quiet-user all
-------------------------------------------------------------------------------
MacAddress                                                Quiet Remain Time(Sec)
-------------------------------------------------------------------------------
0001-0002-0003                                            50
-------------------------------------------------------------------------------
1 silent mac address(es) found, 1 printed. 
Table 13-98  Description of the display mac-authen quiet-user all command output

Item

Description

MacAddress

MAC address of a MAC address authentication user who is quieted.

Quiet Remain Time(Sec)

Remaining quiet time of a MAC address authentication user who is quieted, in seconds.

display portal

Function

The display portal command displays the Portal authentication configuration.

Format

display portal [ interface interface-type interface-number | configuration ]

Parameters

Parameter Description Value
interface interface-type interface-number
Displays Portal authentication configuration on a specified interface.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

Portal authentication configuration in the system view or on all interfaces is displayed if this parameter is not specified.

-
configuration

Displays the global Portal authentication configuration.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display portal command to view the Portal authentication configuration and check whether the configuration is correct.

Example

# Display the Portal authentication configuration.

<HUAWEI> display portal
 Portal timer offline-detect length:500                        
 Portal max-user number:100                                              
 Quiet function is Disabled                                            
 Different-server is Disabled
 Parameter set: Quiet Period      60s   Quiet-times          3     
 Logout packets resend: Resend-times 3  Timeout 5s
 Portal user(s) on slot 1:1
                                                                   
 Vlanif10 protocol status: up, web-auth-server layer2(direct)
   Portal domain: tsm                                           
   Auth-network:                                              
       10.3.3.3          255.255.255.255                    
       10.8.0.0          255.255.0.0                        

# Display the Portal authentication configuration on VLANIF10.

<HUAWEI> display portal interface vlanif 10
                                                                                
 Vlanif10 protocol status: up, web-auth-server layer2(direct)                 
    Portal domain: tsm                                           
    Auth-network:                                              
       10.3.3.3          255.255.255.255                    
       10.8.0.0          255.255.0.0                        
Table 13-99  Description of the display portal command output

Item

Description

Portal timer offline-detect length

Portal authentication user offline detection interval.

To set the user offline detection interval, run the portal timer offline-detect command.

Portal max-user number

Maximum number of concurrent Portal authentication users allowed to access the device, the value varies according to device models.

To set the maximum number of concurrent Portal authentication users allowed to access the device, run the portal max-user command.

Quiet function is Enabled or Quiet function is Disabled

Whether the quiet function in Portal authentication is enabled.
  • Enabled
  • Disabled

To enable the quiet function, run the portal quiet-period command.

Different-server is Enabled or Different-server is Disabled

Whether a device is enabled to process user logout requests sent by a Portal server other than the one from which users log in:
  • Enabled
  • Disabled

To configure a device to process user logout requests sent by a Portal server other than the one from which users log in, command, run the portal logout different-server enable command.

Parameter set

Parameter settings of the quiet function in Portal authentication.
  • Quiet Period: indicates the quite period in Portal authentication. To set the quite period in Portal authentication, run the portal timer quiet-period command.
  • Quiet-times: indicates the maximum number of authentication failures within 60 seconds before a Portal authentication user enters the quiet state. To set the maximum number of authentication failures, run the portal quiet-times command.

Logout packets resend

Configuration of the logout packet re-transmission function for Portal authentication users.
  • Resend-times: indicates the number of re-transmission times for Portal authentication user logout packets.
  • Timeout: indicates the re-transmission interval of Portal authentication user logout packets.

To set the re-transmission interval, run the portal logout resend timeout command.

Portal user(s) on slot 1

Statistics on Portal authentication users on an LPU.

NOTE:

This parameter is unavailable when no Portal authentication user is online.

When Portal authentication users go online through an Eth-Trunk, the number of Portal authentication users on the LPU where Eth-Trunk member interfaces are located is the same as the actual number of Portal authentication users on the LPU.

Vlanif10 protocol status

Link layer protocol state of the VLANIF interface.

  • up: indicates that the interface is running properly.
  • down: indicates that the interface is disabled.
  • web-auth-server layer2(direct): indicates that the authentication mode is set to Layer 2 Portal authentication on a specified interface.

Portal domain

Name of a forcible Portal authentication domain.

To set a forcible Portal authentication domain, run the portal domain command.

Auth-network

Portal authentication subnet.

To set the Portal authentication subnet, run the portal auth-network command.

display portal free-rule

Function

The display portal free-rule command displays authentication-free rules for Portal authentication users.

Format

display portal free-rule [ rule-id ]

Parameters

Parameter Description Value
rule-id

Displays the ID of an authentication-free rule. If the rule ID is not specified, the configuration of all authentication-free rules is displayed.

The value is an integer that ranges from 0 to 1023.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display portal free-rule command shows the configuration of authentication-free rules. You can locate faults according to the command output.

Example

# Display the configuration of authentication-free rules.

<HUAWEI> display portal free-rule
portal free-rule 0 destination ip 10.1.1.1 mask 255.255.255.255                  
portal free-rule 10 destination ip 10.1.1.2 mask 255.255.255.255                
Total 2 free-rules                                               

# Display the configuration of authentication-free rule 10.

<HUAWEI> display portal free-rule 10
portal free-rule 10 destination ip 10.1.1.1 mask 255.255.255.255                                              
Related Topics

display portal https-redirect blacklist

Function

The display portal https-redirect blacklist command displays IPv4 addresses in the HTTPS redirection blacklist.

Format

display portal https-redirect blacklist

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

You can run this command to check whether the addresses in the HTTPS redirection blacklist are correct.

Example

# Display IPv4 addresses in the HTTPS redirection blacklist.

<HUAWEI> display portal https-redirect blacklist
--------------------------------------
IP Address        Aging Time          
--------------------------------------
 10.1.1.1         2018-06-26 21:01:59 
--------------------------------------
 Total:1   Print:1
Table 13-100  Description of the display portal https-redirect blacklist command output
Item Description
IP Address IPv4 addresses in the blacklist, which is configured using the portal https-redirect blacklist command or is added after the condition specified by the portal https-redirect blacklist packet-rate or portal https-redirect blacklist retry-times interval command is met.
Aging Time

Time when an address in the blacklist is aged out (that is, time when an address is removed from the blacklist).

You can run the portal https-redirect blacklist aging-time command to configure the aging time of addresses in the blacklist.

Total:m Print:n Total number of addresses in the blacklist, and number of addresses displayed.

display portal https-redirect whitelist

Function

The display portal https-redirect whitelist command displays IPv4 addresses in the HTTPS redirection whitelist.

Format

display portal https-redirect whitelist

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

You can run this command to check whether the addresses in the HTTPS redirection whitelist are correct.

Example

# Display IPv4 addresses in the HTTPS redirection whitelist.

<HUAWEI> display portal https-redirect whitelist
IP Address:                    
-------------------------------
 10.1.2.1                      
-------------------------------
 Total:1   Print:1 
Table 13-101  Description of the display portal https-redirect whitelist command output
Item Description
IP Address IPv4 addresses in the whitelist, which are configured using the portal https-redirect whitelist command.
Total:m Print:n Total number of addresses in the whitelist, and number of addresses displayed.

display portal quiet-user

Function

The display portal quiet-user command displays information about Portal authentication users in quiet state.

Format

display portal quiet-user { all | server-ip ip-address | user-ip ip-address }

Parameters

Parameter Description Value
all

Displays information about all Portal authentication users in quiet state.

-

user-ip ip-address

Displays information about the quiet user with the specified IP address.

The value is in dotted decimal notation.

server-ip ip-address

Displays information about all the users in quiet state authenticated by the Portal authentication server with a specified IP address.

The value is in dotted decimal notation.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After the quiet timer is enabled, you can run the display portal quiet-user command to view information about Portal authentication users in quiet state.

Example

# Display information about all Portal authentication users in quiet state.

<HUAWEI> display portal quiet-user all
Quiet IP information
-------------------------------------------------------------------------------------
Quiet ip                                                    Quiet Remain Time(Sec)
------------------------------------------------------------------------------------
192.168.1.1                                                   10
192.168.1.2                                                   20
------------------------------------------------------------------------------------
2 quiet IP found, 2 printed.

# Display information about all the users in quiet state authenticated by the Portal authentication server with IP address 192.168.2.1.

<HUAWEI> display portal quiet-user server-ip 192.168.2.1
Quiet IP information
-------------------------------------------------------------------------------------
Quiet ip                                                    Quiet Remain Time(Sec)
------------------------------------------------------------------------------------
192.168.1.3                                                   10
192.168.1.4                                                   20
------------------------------------------------------------------------------------
2 quiet IP found, 2 printed.

# Display information about the user in quiet state at 192.168.1.1.

<HUAWEI> display portal quiet-user user-ip 192.168.1.1
 Quiet remain second     100
Table 13-102  Description of the display portal quiet-user command output

Item

Description

Quiet IP information

Information about the user in quiet state.

Quiet ip

IP address of the user in quiet state.

Quiet Remain Time(Sec)

Remaining quiet time of the user in quiet state, in seconds.

Quiet remain second

Remaining quiet period of the user in quiet state.

display portal user-logout

Function

The display portal user-logout command displays temporary logout entries of Portal authentication users.

Format

display portal user-logout [ ip-address ip-address [ vpn-instance vpn-instance-name ] ]

Parameters

Parameter

Description

Value

ip-address ip-address

Displays temporary logout entries of the Portal authentication user with a specified IP address.

The value is in dotted decimal notation.

vpn-instance vpn-instance-name

Displays temporary logout entries of the Portal authentication user with a specified VPN instance.

The value must be an existing VPN instance name.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The device records temporary entries after Portal authentication users are disconnected. The network administrator can run this command to check temporary logout entries to locate faults.

If the parameter ip-address ip-address [ vpn-instance vpn-instance-name ] is not specified, the temporary logout entries of all Portal authentication users are displayed.

Example

# Display the temporary logout entries of all Portal authentication users.

<HUAWEI> display portal user-logout
 --------------------------------------------------------------                                                                     
 UserIP           Vrf      Resend Times TableID                                                                                     
 --------------------------------------------------------------                                                                     
 192.168.111.100  1        3            0                                                                                           
 --------------------------------------------------------------                                                                     
 Total: 1, printed: 1
Table 13-103  Description of the display portal user-logout command output

Item

Description

UserIP

IP address of the Portal authentication user.

Vrf

VPN instance that the Portal authentication user belongs to.

Resend Times

Number of logout packet re-transmission times.

To set the number of logout packet re-transmission times, run the portal logout resend timeout command.

TableID

Index of the temporary logout entry.

Total: m, printed: n

Total number of temporary logout entries and number of displayed entries.

display portal url-encode configuration

Function

The display portal url-encode configuration command displays the configuration of URL encoding and decoding.

Format

display portal url-encode configuration

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After configuring URL encoding and decoding, you can run the display portal url-encode configuration command to check the configuration.

Example

# Display the configuration of URL encoding and decoding.

<HUAWEI> display portal url-encode configuration
  Portal URL Encode : Disable
Table 13-104  Description of the display portal url-encode configuration command output

Item

Description

Portal URL Encode

Whether URL encoding and decoding are enabled:
  • Disable
  • Enable

To configure the function, run the portal url-encode enable command.

display server-detect state

Function

The display server-detect state command displays the status of a Portal server.

Format

display server-detect state [ web-auth-server server-name ]

Parameters

Parameter Description Value
web-auth-server server-name Displays information about the Portal server status configured in the specified Portal server template.

If this parameter is not specified, status of all Portal servers is displayed.

The Portal server template name must exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display server-detect state command to check information about the Portal server status.

Example

# Display information about the Portal server status configured in the Portal server template abc.

<HUAWEI> display server-detect state web-auth-server abc
  Web-auth-server     :    abc                      
  Total-servers       :    4                                                    
  Live-servers        :    1                                                    
  Critical-num        :    0                                                    
  Status              :    Normal                                               
  Ip-address               Status                                               
  192.168.2.1              UP                                                   
  192.168.2.2              DOWN                                                 
  192.168.2.3              DOWN                                                 
  192.168.2.4              DOWN  
Table 13-105  Description of the display server-detect state command output

Item

Description

Web-auth-server

Name of the Portal server template.

Total-servers

Number of Portal servers configured.

Live-servers

Number of Portal servers in Up state.

Critical-num

Minimum number of Portal servers in Up state. If the number of Portal servers is less than this value, enable the survival function in the corresponding Portal server template view.

Status

Status of the Portal server. The values are as follows:
  • Normal: normal state
  • Permit-all: survival state

Ip-address

IP address of the Portal server.

Status

Whether the Portal server with the specified IP address is reachable. The values are as follows:
  • UP: reachable
  • DOWN: unreachable

display snmp-agent trap feature-name mid_aaa all

Function

The display snmp-agent trap feature-name mid_aaa all command displays the status of all traps on the AAA module.

Format

display snmp-agent trap feature-name mid_aaa all

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After enabling the trap function for the AAA module, you can run this command to check the status of all traps on the AAA module. To enable the trap function for the AAA module, run the snmp-agent trap enable feature-name mid_aaa command.

Prerequisites

The SNMP function has been enabled on the device. For details, see snmp-agent.

Example

# Display the status of all traps on the AAA module.

<HUAWEI> display snmp-agent trap feature-name mid_aaa all
------------------------------------------------------------------------------  
Feature name: MID_AAA                                                           
Trap number : 2                                                                 
------------------------------------------------------------------------------  
Trap name                       Default switch status   Current switch status   
hwMacMovedQuietMaxUserAlarm     on                      on                      
hwMacMovedQuietUserClearAlarm   on                      on                      
Table 13-106  Description of the display snmp-agent trap feature-name mid_aaa all command output

Item

Description

Feature name

Name of the module to which a trap belongs.

Trap number

Number of traps.

Trap name

Name of a trap. Traps on the AAA module include:

  • hwMacMovedQuietMaxUserAlarm: A Huawei proprietary trap message is sent when the percentage of current MAC address migration users in quiet state against the maximum number of users exceeds the upper alarm threshold.

  • hwMacMovedQuietUserClearAlarm: A Huawei proprietary trap message is sent when the percentage of current MAC address migration users in quiet state against the maximum number of users decreases to be equal to or smaller than the lower alarm threshold.

Default switch status

Default status of the trap function:
  • on: The trap function is enabled by default.

  • off: The trap function is disabled by default.

Current switch status

Trap status:

  • on: The trap is enabled.

  • off: The trap is disabled.

display snmp-agent trap feature-name mid_eapol all

Function

The display snmp-agent trap feature-name mid_eapol all command displays the status of all traps on the DOT1X module.

Format

display snmp-agent trap feature-name mid_eapol all

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After enabling the trap function for the DOT1X module, you can run this command to check the status of all traps on the DOT1X module. To enable the trap function for the DOT1X module, run the snmp-agent trap enable feature-name mid_eapol command.

Prerequisites

The SNMP function has been enabled on the device. For details, see snmp-agent.

Example

# Display the status of all traps on the DOT1X module.

<HUAWEI> display snmp-agent trap feature-name mid_eapol all
------------------------------------------------------------------------------                                                      
Feature name: MID_EAPOL                                                                                                             
Trap number : 2                                                                                                                     
------------------------------------------------------------------------------                                                      
Trap name                       Default switch status   Current switch status                                                       
hwSrvcfgEapMaxUserAlarm         on                      on                                                                          
hwMacAuthenMaxUserAlarm         on                      on 
Table 13-107  Description of the display snmp-agent trap feature-name mid_eapol all command output

Item

Description

Feature name

Name of the module to which a trap belongs.

Trap number

Number of traps.

Trap name

Name of a trap. Traps on the DOT1X module include:

  • hwSrvcfgEapMaxUserAlarm: The device sends a Huawei proprietary trap when the number of 802.1X authentication users reaches the maximum number allowed on an interface.

  • hwMacAuthenMaxUserAlarm: The device sends a Huawei proprietary trap when the number of MAC address authentication users reaches the maximum number allowed on an interface.

Default switch status

Default status of the trap function:
  • on: The trap function is enabled by default.

  • off: The trap function is disabled by default.

Current switch status

Trap status:

  • on: The trap is enabled.

  • off: The trap is disabled.

display snmp-agent trap feature-name mid_web all

Function

The display snmp-agent trap feature-name mid_web all command displays the status of all traps on the web authentication module.

Format

display snmp-agent trap feature-name mid_web all

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After enabling the trap function for the web authentication module, you can run this command to check the status of all traps on the web authentication module. To enable the trap function for the web authentication module, run the snmp-agent trap enable feature-name mid_web command.

Prerequisites

The SNMP function has been enabled on the device. For details, see snmp-agent.

Example

# Display the status of all traps on the web authentication module.

<HUAWEI> display snmp-agent trap feature-name mid_web all
------------------------------------------------------------------------------                                                      
Feature name: MID_WEB                                                                                                               
Trap number : 4                                                                                                                     
------------------------------------------------------------------------------                                                      
Trap name                       Default switch status   Current switch status                                                       
hwPortalServerUp                on                      on                                                                          
hwPortalServerDown              on                      on                                                                          
hwPortalMaxUserAlarm            on                      on                                                                          
hwPortalUserClearAlarm          on                      on 
Table 13-108  Description of the display snmp-agent trap feature-name mid_web all command output

Item

Description

Feature name

Name of the module to which a trap belongs.

Trap number

Number of traps.

Trap name

Name of a trap. Traps on the web authentication module include:

  • hwPortalServerUp: The device sends a Huawei proprietary trap when it detects that the Portal server changes from Down to Up.

  • hwPortalServerDown: The device sends a Huawei proprietary trap when it detects that the Portal server changes from Up to Down.

  • hwPortalMaxUserAlarm: The device sends a Huawei proprietary trap when the number of online Portal authentication users exceeds the upper threshold.

  • hwPortalUserClearAlarm: The device sends a Huawei proprietary trap when the number of online Portal authentication users falls below the lower threshold.

Default switch status

Default status of the trap function:
  • on: The trap function is enabled by default.

  • off: The trap function is disabled by default.

Current switch status

Trap status:

  • on: The trap is enabled.

  • off: The trap is disabled.

display static-user

Function

The display static-user command displays static user information.

Format

display static-user [ domain-name domain-name | interface interface-type interface-number | ip-address start-ip-address [ end-ip-address ] | vpn-instance vpn-instance-name ] * [ detail ]

Parameters

Parameter

Description

Value

domain-name domain-name

Displays static user information in a specified domain.

The value is a string of 1 to 64 case-sensitive characters without spaces, asterisk (*), question mark (?), and double quotation marks ("). The value cannot be - or --.

interface interface-type interface-number

Displays static user information on a specified interface.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

ip-address start-ip-address [ end-ip-address ]

Displays static user information in a specified IP address range.

The value is in dotted decimal notation.

vpn-instance vpn-instance-name

Displays static user information in a specified VPN instance.

The value must be an existing VPN instance name.
detail

Displays detailed information about static users.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After a static user is configured, you can run the display static-user command to view the static user information.

Example

# Display information about all static users configured.

<HUAWEI> display static-user
 IP-address       Interface       MAC-address    VPN                             
------------------------------------------------------------------------------- 
 10.1.1.1         GE1/0/3         -              -                               
 10.1.1.2         GE1/0/3         -              -                               
 10.1.1.3         GE1/0/3         -              -                               
 10.1.1.5         GE1/0/5         0001-0001-0001 -                               
 10.1.1.6         GE1/0/5         0001-0001-0001 -                               
 10.1.1.7         GE1/0/5         0001-0001-0001 -                               
 10.1.1.8         GE1/0/5         0001-0001-0001 -                               
 10.1.1.10        -               0002-0002-0002 -                               
 10.1.1.11        -               0002-0002-0002 -                               
 10.1.1.12        -               0002-0002-0002 -                               
------------------------------------------------------------------------------- 
Total item(s) displayed = 10                                                    

# Display detailed information about all static users.

<HUAWEI> display static-user detail
------------------------------------------------------------------------------- 
  IP address                            : 10.1.1.2
  IP static user                        : Yes                            
  Vpn-instance                          : -                                     
  Domain-name                           : local                                 
  Interface                             : -                                     
  MAC address                           : -                                     
  VLAN                                  : 0                                     
  Detect                                : Disable                               
  Keep-online                           : Disable                               
------------------------------------------------------------------------------- 
  IP address                            : 10.1.1.4
  IP static user                        : Yes                                                           
  Vpn-instance                          : -                                     
  Domain-name                           : -                                     
  Interface                             : -                                     
  MAC address                           : -                                     
  VLAN                                  : 0                                     
  Detect                                : Disable                               
  Keep-online                           : Enable                                
------------------------------------------------------------------------------- 
Total item(s) number= 2, displayed number= 2                                    
                                                                                
Ip-static-user enable status:                                                   
------------------------------------------------------------------------------- 
------------------------------------------------------------------------------- 
Total item(s) number= 0, displayed number= 0                      
Table 13-109  Description of the display static-user command output

Item

Description

IP-address/IP address

IP address of a static user.

Interface

Interface connected to a static user.

MAC-address/MAC address

MAC address of a static user.

VPN/Vpn-instance

VPN instance to which a static user belongs.

Total item(s) number= m, displayed number= n

The total number of entries is m and the number of displayed entries is n.

Ip-static-user enable status

Whether the function of identifying static users through IP addresses is enabled.

IP static user Whether the user is a static user:
  • Yes
  • No
Domain-name Domain to which a static user belongs.
VLAN VLAN to which a static user belongs.
Detect Whether the device is enabled to send ARP packets to trigger MAC address authentication for offline static users:
  • Enable
  • Disable
Keep-online Whether a static user is kept online, with offline detection not performed.
  • Enable
  • Disable

display url-template

Function

The display url-template command displays information about URL templates.

Format

display url-template { all | name template-name }

Parameters

Parameter

Description

Value

all

Displays information about all configured URL templates.

-

name template-name

Displays information about the URL template with a specified name.

The value is a string of 1 to 31 case-sensitive characters. It cannot contain spaces or the following symbols: / \ : * ? " < > | @ ' %. The value cannot be - or --.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After a URL template is configured, run the display url-template command to view information about the URL template.

Example

# Display information about all configured URL templates.

<HUAWEI> display url-template all
                                                                                
------------------------------------------------------------------------------- 
  Name                              URL     Start  Assignment  Isolate          
                                    Number  Mark   Mark        Mark           
------------------------------------------------------------------------------- 
  huawei                            0       ?      =           &                
  huawei2                           0       ?      =           &                
  huawei3                           0       ?      =           &                
------------------------------------------------------------------------------- 
  Total 3                 

# Display information about the URL template huawei.

<HUAWEI> display url-template name huawei
  Name : huawei                                                                 
  URL  :                                                                        
    1. http://10.1.1.1                                                          
  Start mark      : !                                                           
  Assignment mark : j                                                           
  Isolate mark    : =                                                           
  User MAC        :                                                             
  Redirect URL    :                                                             
  User IP address :                                                             
  Sysname         :                                                             
  Delimiter       : %                                                           
  Format          : normal 
  Login URL Key   : logiurl
  Login URL       : http:\\huawei.com
Table 13-110  Description of the display url-template command output

Item

Description

Name

Name of a URL template.

URL

URL of the Portal server. For details, see url (URL template view).

Start mark

Start character in the URL address. For details, see parameter.

Assignment mark

Assignment character in the URL address. For details, see parameter.

Isolate mark

Delimiter between URL addresses. For details, see parameter.

User MAC

MAC address of a user. For details, see url-parameter.

Redirect URL

URL in the original user packet. For details, see url-parameter.

User IP address

User IP address. For details, see url-parameter.

Sysname

Device name. For details, see url-parameter.

Delimiter

Delimiter between MAC addresses in URL. For details, see url-parameter mac-address format.

Format

Format MAC addresses in URL. For details, see url-parameter mac-address format.

Login URL Key

Identification keyword for the login URL sent to the Portal server during redirection. For details, see url-parameter.

Login URL

Device login URL. For details, see url-parameter.

display user-group

Function

The display user-group command displays the configuration of a user group.

Format

display user-group [ group-name ]

Parameters

Parameter Description Value
group-name Displays the configuration of a specified user group.

The configurations of all user groups are displayed if this parameter is not specified.

The value is a string of 1 to 64 case-sensitive characters without spaces.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display user-group command to obtain the user group configuration and locate faults according to the command output.

Example

# Display the configuration of all user groups.

<HUAWEI> display user-group
 -------------------------------------------------------------------------------
 ID    Group name                     Rule-num   User-num  Status
 -------------------------------------------------------------------------------
 0     abc                            0          0         disabled
 -------------------------------------------------------------------------------
 Total 1 
NOTE:

When the length of Group name exceeds 14 characters, the name is displayed in abridged mode.

# Display the configuration about the user group test1.

<HUAWEI> display user-group abc
  User group ID           : 0
  Group name              : abc
  ACL ID                  :
  ACL rule number         : 0
  User-num                : 0
  VLAN                    :
  Remark dscp             :
  Remark 8021p            :
  Status                  : disabled
Table 13-111  Description of the display user-group command output

Item

Description

ID

ID of the user group.

Rule-num

Number of ACL rules.

User group ID

ID of the user group.

Group name

Name of the user group.

ACL ID

ID of the ACL bound to the user group.

To set the ACL ID, run the acl-id (user group view) command.

ACL rule number

Number of ACL rules.

User-num

Number of online users bound to the user group.

VLAN

VLAN of the user group.

To set the VLAN, run the user-vlan (user group view) command.

Remark dscp

Priorities for processing IP packets.

To set the priorities, run the remark command.

Remark 8021p

Priorities for processing Ethernet Layer 2 packets.

To set the priorities, run the remark command.

Status

Status of the user group.

  • disabled: The user group is disabled.
  • enabled: The user group is enabled.

display web-auth-server configuration

Function

The display web-auth-server configuration command displays the Portal server configuration.

Format

display web-auth-server configuration

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After the Portal server template is configured, the display web-auth-server configuration displays the Portal server configuration.

Example

# Display the Portal server configuration.

<HUAWEI> display web-auth-server configuration
  Listening port        : 2000
  Portal                : version 1, version 2
  Include reply message : enabled

------------------------------------------------------------------------------- 
  Enabled protocol      : https
  Listening port        : 8443 
  SSL policy            : default_policy

-------------------------------------------------------------------------------
  Web-auth-server Name : huawei
  IP-address           :
  Shared-key           :
  Source-IP            : -
  Port / PortFlag      : 50100 / NO
  URL                  : https://192.168.2.10:8443/webauth
  URL Template         :
  URL Template ParaName:                                                        
  URL Template IVName  :                                                        
  URL Template Key     :                       
  Redirection          : Enable
  Sync                 : Disable
  Sync Seconds         : 300
  Sync Max-times       : 3
  Detect               : Disable
  Detect Seconds       : 60
  Detect Max-times     : 3
  Detect Critical-num  : 0
  Detect Action        :
  VPN Instance         :
  Bound Vlanif         :                                                        
  Bound Interface      : 

  Protocol             : http
  Http Get-method      : disable 
  Password Encrypt     : none
  Cmd ParseKey         : cmd
  Username ParseKey    : username
  Password ParseKey    : password
  MAC Address ParseKey : macaddress
  IP Address ParseKey  : ipaddress
  Initial URL ParseKey : initurl
  Login Cmd            : login  
  Logout Cmd           : logout
  Login Success 
       Reply Type      : redirect initial URL
       Redirect URL    :
       Message         : LoginSuccess!
  Login Fail 
       Reply Type      : redirect login URL
       Redirect URL    :
       Message         : LoginFail!
  Logout Success 
       Reply Type      : message
       Redirect URL    :
       Message         : LogoutSuccess!
  Logout Fail 
       Reply Type      : message
       Redirect URL    :
       Message         : LogoutFail!

-------------------------------------------------------------------------------
  1 Web authentication server(s) in total                    
Table 13-112  Description of the display web-auth-server configuration command output

Item

Description

Listening port

Listening port for Portal protocol packets.

To configure a listening port, run the web-auth-server listening-port command.

Portal

Portal protocol version.

  • version 1, version 2: The device supports both the versions V1.0 and V2.0.
  • version 2: The device supports the versions V2.0.

To configure the Portal protocol version, run the web-auth-server version command.

Include reply message

Whether the packets sent from the device to the Portal server contain authentication responses.

  • enabled
  • disabled

To enable the device to transparently transmit authentication responses of users sent by the authentication server to the Portal server, run the web-auth-server reply-message command.

Enabled protocol

Enabled HTTP or HTTPS protocol.

  • http
  • https

To enable the HTTP or HTTPS protocol, run the portal web-authen-server command.

Listening port

HTTP or HTTPS port number.

To configure the HTTP or HTTPS port number, run the portal web-authen-server command.

SSL policy

SSL policy referenced by the HTTPS protocol.

To configure the SSL policy referenced by the HTTPS protocol, run the portal web-authen-server command.

Web-auth-server Name

Name of the Portal server template.

To configure the Portal server template name, run the web-auth-server (system view) command.

IP-address

IP address of the Portal server.

To configure the IP address of the Portal server, run the server-ip (Portal server template view) command.

Shared-key

Shared key of the Portal server.

To configure the shared key of the Portal server, run the shared-key (Portal server template view) command.

Source-IP

IP address used for communication with the Portal server.

To configure the IP address used for communication with the Portal server, run the source-ip (Portal server template view) command.

Port / PortFlag

  • Port: indicates the port number of the Portal server.
  • PortFlag: indicates whether packets are always sent through this port.

To configure the port number of the Portal server, run the port (Portal server template view) command.

URL

URL of the Portal server.

To configure the URL of the Portal server, run the url (Portal server template view) command.

URL Template

URL template bound to the Portal server template.

To configure the URL template, run the url-template (Portal server template view) command.

Redirection

Redirection status of Portal authentication.
  • Disable: Redirection of Portal authentication is disabled.
  • Enable: Redirection of Portal authentication is enabled.

To configure redirection of Portal authentication, run the web-redirection disable (Portal server template view) command.

Sync

User information synchronization.

  • Disable
  • Enable

To enable user information synchronization, run the user-sync command.

Sync Seconds

User information synchronization interval.

To set the user information synchronization interval, run the user-sync command.

Sync max-times

Maximum number of times that user information synchronization fails.

To set the maximum number of times that user information synchronization fails, run the user-sync command.

Detect

Portal server detection and keepalive functions.

  • Disable
  • Enable

To configure Portal server detection and keepalive functions, run the server-detect command.

Detect Seconds

Detection interval of the Portal server.

To set the detection interval of the Portal server, run the server-detect command.

Detect max-times

Maximum number of detection failures.

To set the maximum number of detection failures, run the server-detect command.

Detect Critical-num

Minimum number of Portal servers in Up state. If the number of running Portal servers is less than the minimum, enable the survival function in the corresponding Portal server template view.

To configure this function, run the server-detect command.

Detect Action

Action taken after the number of detection failures exceeds the maximum.
  • log: The device sends logs after the number of detection failures exceeds the maximum.
  • trap: The device sends traps after the number of detection failures exceeds the maximum.
  • permit-all: Portal authentication on the interface is disabled after the number of detection failures exceeds the maximum.

To configure an action taken after the number of detection failures exceeds the maximum, run the server-detect command.

Bound Vlanif

VLANIF interface to which the Portal server template is bound.

To bind the Portal server template to a VLANIF interface, run the web-auth-server (interface view).

VPN instance

VPN instance used for Portal authentication.

To configure a VPN instance, run the vpn-instance (Portal server template view) command.

Bound Interface

Ethernet interface or Eth-Trunk to which the Portal server template is bound.

To bind the Portal server template to an Ethernet interface or Eth-Trunk, run the web-auth-server (interface view) command.

Http Get-method

Whether users submit user name and password information to the device in GET mode:

  • disable: GET mode is not used.
  • enable: GET mode is used.

To configure the GET mode, run the http get-method enable command.

Protocol

Protocol used in Portal authentication.

  • Portal
  • http

To configure the protocol used in Portal authentication, run the protocol (Portal server template view) command.

Password Encrypt

Whether the password is encrypted:

  • none: The password is not encrypted.
  • uam: The password is encrypted using the ASCII character mode.

To configure the password encryption mode, run the protocol (Portal server template view) command.

Cmd ParseKey

Command identification keyword.

To configure the command identification keyword, run the http-method post command.

Username ParseKey

User name identification keyword.

To configure the user name identification keyword, run the http-method post command.

Password ParseKey

User password identification keyword.

To configure the user password identification keyword, run the http-method post command.

MAC Address ParseKey

User MAC address identification keyword.

To configure the user MAC address identification keyword, run the http-method post command.

IP Address ParseKey

User IP address identification keyword.

To configure the user IP address identification keyword, run the http-method post command.

Initial URL ParseKey

User initial login URL identification keyword.

To configure the user initial login URL identification keyword, run the http-method post command.

Login Cmd

User login identification keyword.

To configure the user login identification keyword, run the http-method post command.

Logout Cmd

User logout identification keyword.

To configure the user logout identification keyword, run the http-method post command.

Login Success

User login success.

Reply Type

Redirection response type.

  • redirect initial URL: A user is redirected to the initial login URL after successful login.
  • redirect login URL: A user is redirected to the login URL after a login failure.
  • message: specifies the displayed message.
  • redirect URL: A user is redirected to a specified URL.

To configure the redirection response type, run the http-method post command.

Redirect URL

Redirection URL.

To configure the redirection URL, run the http-method post command.

Message

Displayed message.

To configure the displayed message, run the http-method post command.

Login Fail

User login failure.

Logout Success

User logout success.

Logout Fail

User logout failure.

device-sensor dhcp option

Function

The device-sensor dhcp option command enables the DHCP-based terminal type awareness function.

The undo device-sensor dhcp option command disables the DHCP-based terminal type awareness function.

By default, the DHCP-based terminal type awareness function is disabled.

Format

device-sensor dhcp option option-code &<1-6>

undo device-sensor dhcp option option-code &<1-6>

Parameters

Parameter Description Value
option-code

Specifies the DHCP option field that the device needs to resolve.

The option fields in a DHCP packet carry the control information and parameters, for example, terminal type.

The value is an integer that ranges from 1 to 254.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A device usually connects to many types of terminals. You may need to assign different network access rights or packet processing priorities to the terminals of different types. For example, the voice devices, such as IP phones, should be assigned a high packet processing priority because voice signals require low delay and jitter.

After the DHCP-based terminal type awareness function is enabled, the device can resolve the option fields that carry terminal type information in the received DHCP Request packets. The device then sends the option information to the RADIUS server through RADIUS accounting packets. Through the option information, the RADIUS server knows the terminal types and controls the network access rights and packet processing priorities of the terminals.

Precautions

  • The command takes effect only when the authentication or accounting mode in the AAA scheme is RADIUS.

  • To make this command take effect, you must run the dhcp snooping enable command on the interfaces or in VLANs.

Example

# Set the option fields to be resolved by the device to option 60.
<HUAWEI> system-view
[HUAWEI] device-sensor dhcp option 60
Related Topics

device-sensor lldp tlv

Function

The device-sensor lldp tlv command enables the LLDP-based terminal type awareness function.

The undo device-sensor lldp tlv command disables the LLDP-based terminal type awareness function.

By default, the LLDP-based terminal type awareness function is disabled.

Format

device-sensor lldp tlv tlv-type &<1-4>

undo device-sensor lldp tlv

Parameters

Parameter Description Value
tlv-type

Specifies the LLDP TLV type as the terminal type to be aware of the device.

The value is an integer that can be 1, 2, 5, 6, 7, 8, and 127. The values are as follows:
  • 1: Chassis ID TLV, indicating the bridge MAC address of the device
  • 2: Port ID TLV, indicating the port identifying the LLD PDU sending end
  • 5: System Name TLV, indicating the device name
  • 6: System Description TLV, indicating the system description
  • 7: System Capabilities TLV, indicating the system capabilities
  • 8: Management Address TLV, indicating the management address
  • 127: Organization Specific TLV, indicating the user-defined organization information

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A device usually connects to many types of terminals. You may need to assign different network access rights or packet processing priorities to the terminals of different types. For example, the voice devices, such as IP phones, should be assigned a high packet processing priority because voice signals require low delay and jitter.

Using the LLDP-based terminal type awareness function, the device parses the required TLV type containing terminal type information from the received LLDP packets. The device then sends the TLV type information to the RADIUS server through a RADIUS accounting packet. Through the TLV type information, the RADIUS server knows the terminal types and controls the network access rights and packet processing priorities of the terminals.

Precautions

  • The command takes effect only when the authentication or accounting mode in the AAA scheme is RADIUS.

  • The command takes effect only when the LLDP function is enabled on the device and the connected peer device.

Example

# Enable the terminal type awareness function based on LLDP TLV type 5.

<HUAWEI> system-view
[HUAWEI] device-sensor lldp tlv 5

dot1x authentication-method

Function

The dot1x authentication-method command sets the authentication mode for 802.1X users.

The undo dot1x authentication-method command restores the default authentication mode for 802.1X users.

By default, the global 802.1X user authentication mode is CHAP authentication and the 802.1X user authentication mode on interfaces is the same as the mode globally configured.

Format

dot1x authentication-method { chap | pap | eap }

undo dot1x authentication-method

Parameters

Parameter

Description

Value

chap

Indicates the CHAP-based EAP termination authentication mode.

-

pap

Indicates the PAP-based EAP termination authentication mode.

-

eap

Indicates that the EAP relay mode.

-

Views

System view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

During 802.1X authentication, users exchange authentication information with the device using EAP packets. The device uses two modes to exchange authentication information with the RADIUS server.
  • EAP termination: The device directly parses EAP packets, encapsulates user authentication information into a RADIUS packet, and sends the RADIUS packet to the RADIUS server for authentication. In EAP termination authentication mode, the device and RADIUS server exchange information using PAP or CHAP.

    • PAP is a two-way handshake authentication protocol. It transmits passwords in plain text format in RADIUS packets. It is not recommended because of the low security.
    • CHAP is a three-way handshake authentication protocol. It transmits only user names not passwords in RADIUS packets. CHAP is more secure and reliable than PAP. If high security is required, CHAP is recommended.

    After the device directly parses EAP packets, user information in the EAP packets is authenticated by a local AAA module, or sent to the RADIUS or HWTACACS server for authentication.

  • EAP relay (specified by eap): The device encapsulates EAP packets into RADIUS packets and sends the RADIUS packets to the RADIUS server, but does not parse the received EAP packets that include user authentication information. This mechanism is called EAP over Radius (EAPOR).

The EAP relay mechanism requires that the RADIUS server be capable of parsing a lot of EAP packets and carrying out authentication; therefore, if the RADIUS server has high processing capabilities, the EAP relay is used. If the RADIUS server is incapable of parsing a lot of EAP packets and carrying out authentication, EAP termination is recommended, and the device helps the RADIUS server to parse EAP packets.
NOTE:
  • The authentication mode can be set to EAP relay for 802.1X authentication users only when the RADIUS authentication is used.

  • If the 802.1X client uses the MD5 encryption mode, the user authentication mode on the device can be set to EAP or CHAP; if the 802.1X client uses the PEAP authentication mode, the authentication mode on the device can be set to EAP.

Example

# Set the authentication mode to EAP for 802.1X users in the device in the system view.

<HUAWEI> system-view
[HUAWEI] dot1x authentication-method eap

# Set the authentication mode to EAP for 802.1X users on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dot1x authentication-method eap
Related Topics

dot1x dhcp-trigger

Function

The dot1x dhcp-trigger command enables DHCP-triggered 802.1X authentication.

The undo dot1x dhcp-trigger command disables DHCP-triggered 802.1X authentication.

By default, DHCP-triggered 802.1X authentication is disabled.

Format

dot1x dhcp-trigger

undo dot1x dhcp-trigger

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After DHCP-triggered 802.1X authentication is enabled using the dot1x dhcp-trigger command, the device sends an 802.1X authentication-start packet to the user when receiving a DHCP Request message from the user. When the user receives the 802.1X authentication-start packet from the device, the 802.1X authentication page is displayed on the client device and prompts the user to enter the user name and password for authentication. During 802.1X network deployment, DHCP-triggered 802.1X authentication enables 802.1X users to start 802.1X authentication without dial-up using the client software, which facilitates network deployment.
NOTE:

After receiving the request packet from an 802.1X user, the device starts authenticating the user. If the user is authenticated, the device allocates an IP address to the user through a DHCP server; if the user fails the authentication, the user cannot obtain a dynamic IP address from the DHCP server.

Prerequisites

802.1X authentication has been enabled globally and on an interface using the dot1x enable command.

Precautions

The dot1x dhcp-trigger command can be used only when the client supports DHCP and 802.1X authentication.

Example

# Enable DHCP-triggered 802.1X authentication.

<HUAWEI> system-view
[HUAWEI] dot1x dhcp-trigger

dot1x domain

Function

The dot1x domain command configures a forcible domain for 802.1X authentication users.

The undo dot1x domain command restores the default setting of a forcible domain for 802.1X authentication users.

By default, no forcible domain is configured for 802.1X authentication users.

Format

dot1x domain domain-name

undo dot1x domain

Parameters

Parameter

Description

Value

domain-name

Specifies the name of a forcible domain.

The value must be an existing domain name on the device.

Views

GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

During authentication, if the user name entered by a user does not contain a domain name, the user will be authenticated in the default domain; if the user name contains a domain name, the user will be authenticated in the specified domain.

If the user names entered by many users do not contain domain names, excess users are authenticated in the default domain, making the authentication scheme inflexible. If all users on an interface need to use the same AAA scheme when the user names entered by some users contain domain name and those entered by other users do not, the device also cannot meet such requirement. To address this issue, you can configure a forcible domain. Then all users on the interface will be authenticated in the forcible domain no matter whether the user names entered by the users contain domain names.

Prerequisites

A domain has been created using the domain (AAA view) command.

Example

# Configure the forcible domain huawei for 802.1X authentication users on the interface GE1/0/1.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain huawei
[HUAWEI-aaa-domain-huawei] quit
[HUAWEI-aaa] quit
[HUAWEI] interface gigabitethernet1/0/1
[HUAWEI-GigabitEthernet1/0/1] dot1x domain huawei
Related Topics

dot1x eap-notify-packet

Function

The dot1x eap-notify-packet command enables the device to send an EAP packet code number to users.

The undo dot1x eap-notify-packet command disables the device from sending an EAP packet code number to users.

By default, the device is disabled from sending an EAP packet code number to users.

Format

dot1x eap-notify-packet eap-code code-number data-type type-number

undo dot1x eap-notify-packet [ eap-code code-number data-type type-number ]

Parameters

Parameter

Description

Value

eap-code code-number

Specifies an EAP packet code number sent to users.

The value is an integer that ranges from 5 to 255.

data-type type-number

Specifies the data type in EAP packets sent to users.

The value is an integer that ranges from 1 to 255.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When a non-Huawei device used as the RADIUS server sends RADIUS packets with attribute 61, EAP packet code number 0xa (hexadecimal notation, 10 in decimal notation), and data type 0x19 (hexadecimal notation, 25 in decimal notation) to the device, run the dot1x eap-notify-packet command on the device so that the device can send EAP packets with code number 0xa and data type 0x19 to users. If the dot1x eap-notify-packet command is not executed, the device does not process EAP packets of this type and users are disconnected.

Precautions

The device can only process EAP packets with code number 10 and data type 25.

Example

# Allow the device to send EAP packets with code number 10 and data type 25 to users.

<HUAWEI> system-view
[HUAWEI] dot1x eap-notify-packet eap-code 10 data-type 25
Related Topics

dot1x enable

Function

The dot1x enable command enables 802.1X authentication on a device.

The undo dot1x enable command disables 802.1X authentication on a device.

By default, 802.1X authentication is disabled on a device.

Format

In the system view:

dot1x enable [ interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> ]

undo dot1x enable [ interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> ]

In the interface view:

dot1x enable

undo dot1x enable

Parameters

Parameter

Description

Value

interface { interface-type interface-number1 [ to interface-number2 ] }

Enables 802.1X authentication on the specified interface of the device.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

Global 802.1X authentication is enabled if this parameter is not specified.

-

Views

System view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The IEEE 802.1X standard (802.1X for short) is a port-based network access control protocol. You can run the dot1x enable command to enable 802.1X authentication globally and on an interface.

To make the 802.1X configuration effective on an interface, enable the global 802.1X authentication function and perform either of the following operations:
  • Run the dot1x enable command in the interface view.
  • Run the dot1x enable interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> command in the system view.

Precautions

  • The cards configured in limiting-mac mode do not support user access.
  • All users have been disconnected before the undo operation is executed.

  • After the static MAC address entry is configured using the mac-address static mac-address interface-type interface-number vlan vlan-id command, the user corresponding to the entry cannot pass 802.1X authentication.
  • If 802.1X authentication is enabled on an interface, the following commands cannot be used on the same interface.

    Command

    Function

    mac-limit

    Sets the maximum number of MAC addresses that can be learned by an interface.

    mac-address learning disable

    Disables MAC address learning on an interface.

    port link-type dot1q-tunnel

    Sets the link type of an interface to QinQ.

    port vlan-mapping vlan map-vlan

    port vlan-mapping vlan inner-vlan

    Configures VLAN mapping on an interface.

    port vlan-stacking

    Configures selective QinQ.

    mac-vlan enable

    Enables MAC address-based VLAN assignment on an interface.

    ip-subnet-vlan enable

    Enables IP subnet-based VLAN assignment on an interface.

    user-bind ip sticky-mac

    Enables the device to generate snooping MAC entries.

Example

# Enable 802.1X authentication on GE1/0/1 in the system view.

<HUAWEI> system-view
[HUAWEI] dot1x enable
[HUAWEI] dot1x enable interface gigabitethernet 1/0/1

# Enable 802.1X authentication on GE1/0/1 in the interface view.

<HUAWEI> system-view
[HUAWEI] dot1x enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dot1x enable
Related Topics

dot1x free-ip

Function

The dot1x free-ip command configures a free IP subnet.

The undo dot1x free-ip command deletes the configured free IP subnet.

By default, no free IP subnet is configured.

Format

dot1x free-ip ip-address { mask-length | mask-address }

undo dot1x free-ip { ip-address { mask-length | mask-address } | all }

Parameters

Parameter Description Value
ip-address Specifies a free IP subnet. The value is in dotted decimal notation.
mask-length Specifies the mask length of an IP address. The value is an integer that ranges from 1 to 32.
mask-address Specifies the mask of the IP address. The value is in dotted decimal notation.
all Deletes all free IP subnets. -

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

802.1X users can access networks only after being authenticated. You can configure a free IP subnet, so that users can access network resources in the free IP subnet before being authenticated.

Precautions

  • 802.1X authentication has been enabled globally and on an interface using the dot1x enable command.

  • After the free-ip function is configured, the guest VLAN, critical VLAN, and restrict VLAN are no longer effective.

  • The free IP subnet takes effect only when the interface authorization state is auto.

  • If a user who does not pass 802.1X authentication wants to obtain an IP address dynamically through the DHCP server, the network segment of the DHCP server needs to be configured to a free IP subnet so that the user can access the DHCP server.

  • After 802.1X users go offline, they are not allowed to access network resources on free IP subnets within a specified period to prevent malicious attacks.

  • After users succeed in 802.1X-based fast deployment, they can only access resources in the IP free subnets and some resources on the device.

Example

# Configure 192.168.1.0/24 as a free IP subnet that users can access before they pass 802.1X authentication.

<HUAWEI> system-view
[HUAWEI] dot1x free-ip 192.168.1.0 24

dot1x handshake

Function

The dot1x handshake command enables the device to send handshake packets to online 802.1X users.

The undo dot1x handshake command disables the device from sending handshake packets to online 802.1X users.

By default, the device handshake function is disabled for online 802.1X users.

Format

dot1x handshake

undo dot1x handshake

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

To check whether an 802.1X user is online in real time, you can run the dot1x handshake command to enable the device to send handshake packets to the 802.1X user. The device sends handshake request packets to the user. If the user sends a response packet within the handshake interval (set using the dot1x timer command), the device considers that the user is online. If the user does not send any response packet within the interval, the device considers that the user is offline.
NOTE:

If a client does not support the handshake function, the device will not receive handshake response packets within the handshake interval and considers that the user is offline. Therefore, disable the device from sending handshake packets to an online 802.1X user when the user's client does not support the handshake function.

After the dot1x timer arp-detect arp-detect-value command is executed to configure ARP detection, the handshake function between the device and online 802.1X users does not take effect.

Example

# Enable the device to send handshake packets to online 802.1X users.

<HUAWEI> system-view
[HUAWEI] dot1x handshake

dot1x handshake packet-type

Function

The dot1x handshake packet-type command sets the type of 802.1X authentication handshake packets.

The undo dot1x handshake packet-type command restores the default type of 802.1X authentication handshake packets.

By default, the type of 802.1X authentication handshake packets is request-identity.

Format

dot1x handshake packet-type { request-identity | srp-sha1-part2 }

undo dot1x handshake packet-type

Parameters

Parameter Description Value
request-identity Indicates that the type of 802.1X authentication handshake packets is request-identity. -
srp-sha1-part2 Indicates that the type of 802.1X authentication handshake packets is srp-sha1-part2. -

Views

System view

Default Level

2: Configuration level

Usage Guidelines

During 802.1X authentication, different vendors' devices support different handshake packet types. By default, the device uses 802.1X authentication handshake packets of the request-identity type. If a device connected to the non-Huawei device uses the 802.1X authentication handshake packets of the srp-sha1-part2 type, run the dot1x handshake packet-type command to set the type of 802.1X authentication handshake packets to srp-sha1-part2.
NOTE:

The dot1x handshake packet-type command takes effect only for users that log in after the command is run.

Example

# Set the type of 802.1X authentication handshake packets to srp-sha1-part2.

<HUAWEI> system-view
[HUAWEI] dot1x handshake packet-type srp-sha1-part2
Related Topics

dot1x mac-bypass

Function

The dot1x mac-bypass command enables MAC address bypass authentication on an interface.

The undo dot1x mac-bypass command disables MAC address bypass authentication on an interface.

By default, MAC address bypass authentication is disabled on an interface.

Format

In the system view:

dot1x mac-bypass { interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> }

undo dot1x mac-bypass { interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> }

In the interface view:

dot1x mac-bypass

undo dot1x mac-bypass

Parameters

Parameter

Description

Value

interface { interface-type interface-number1 [ to interface-number2 ] }

Enables MAC address bypass authentication on the specified interface.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

Views

System view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can enable MAC address bypass authentication for terminals (for example, printers) on which the 802.1X client software cannot be installed or used.

After MAC address bypass authentication is enabled on the interface using the dot1x mac-bypass command, the device first performs 802.1X authentication on users. If the user name request times out, the device starts the MAC address authentication process for the users.
NOTE:

Running the dot1x mac-bypass command also enables 802.1X authentication on an interface, and running the undo dot1x mac-bypass command also disables 802.1X authentication on an interface. When you run the dot1x mac-bypass command on an interface that has been enabled with 802.1X authentication, the authentication mode on the interface changes to MAC address bypass authentication.

Prerequisites

802.1X authentication has been enabled globally using the dot1x enable command.

Example

# Enable MAC address bypass authentication on GE1/0/1 in the system view.

<HUAWEI> system-view
[HUAWEI] dot1x mac-bypass interface gigabitethernet 1/0/1

# Enable MAC address bypass authentication on GE1/0/1 in the interface view.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dot1x mac-bypass

dot1x mac-bypass mac-auth-first

Function

The dot1x mac-bypass mac-auth-first command enables the device to perform MAC address authentication first during MAC address bypass authentication.

The undo dot1x mac-bypass mac-auth-first command disables the device from performing MAC address authentication first during MAC address bypass authentication.

By default, the MAC address authentication is not performed first during MAC address bypass authentication.

Format

In the system view:

dot1x mac-bypass mac-auth-first interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

undo dot1x mac-bypass mac-auth-first interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

In the interface view:

dot1x mac-bypass mac-auth-first

undo dot1x mac-bypass mac-auth-first

Parameters

Parameter

Description

Value

interface { interface-type interface-number1 [ to interface-number2 ] }

Enables the device to perform MAC address authentication first on a specified interface during MAC address bypass authentication.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

Views

System view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When both the clients that do not support 802.1X authentication (such as printers) and the clients that support 802.1X authentication (such as PCs) are connected to the interface enabled with MAC address bypass authentication, you can run the dot1x mac-bypass mac-auth-first command to enable the device to perform MAC address authentication first during MAC address bypass authentication. After that, the device first starts the MAC address authentication process for users, and triggers 802.1X authentication only if MAC address authentication fails.

Prerequisites

802.1X authentication has been enabled globally and on an interface using the dot1x enable command.

Follow-up Procedure

Run the dot1x mac-bypass command to enable MAC address bypass authentication on the interface.

Example

# Enable the device to first perform MAC address authentication on GE1/0/1 during MAC address bypass authentication in the system view.

<HUAWEI> system-view
[HUAWEI] dot1x mac-bypass mac-auth-first interface gigabitethernet 1/0/1

# Enable the device to first perform MAC address authentication on GE1/0/1 during MAC address bypass authentication in the interface view.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dot1x mac-bypass mac-auth-first

dot1x max-user

Function

The dot1x max-user command sets the maximum number of 802.1X authentication users allowed on an interface.

The undo dot1x max-user command restores the default maximum number of 802.1X authentication users allowed on an interface.

By default, the number of 802.1X authentication users is the maximum number of 802.1X authentication users supported by the device.

Format

In the system view:

dot1x max-user user-number interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

undo dot1x max-user [ user-number ] interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

In the interface view:

dot1x max-user user-number

undo dot1x max-user [ user-number ]

Parameters

Parameter

Description

Value

user-number

Specifies the maximum number of 802.1X authentication users on an interface.

The value is an integer that varies depending on the card type.

interface { interface-type interface-number1 [ to interface-number2 ] }

Specifies the interface type and number.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

Views

System view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To limit the maximum number of 802.1X authentication users allowed on an interface, run the dot1x max-user command.

Prerequisites

The 802.1X authentication function has been enabled globally and on an interface using the dot1x enable command.

Precautions

If the user access mode on an interface is interface-based (configured using the dot1x port-method command), the maximum number of 802.1X authentication users allowed on the interface is 1. Before running the dot1x max-user command to set the maximum number of 802.1X authentication users allowed on the interface, run the undo dot1x port-method command to restore the user access mode on the interface to MAC address-based.

Example

# In the system view, set the maximum number of 802.1X authentication users allowed on GE1/0/1 to 7.

<HUAWEI> system-view
[HUAWEI] dot1x max-user 7 interface gigabitethernet 1/0/1

# In the interface view, set the maximum number of 802.1X authentication users allowed on GE1/0/1 to 7.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dot1x max-user 7

dot1x mc-trigger

Function

The dot1x mc-trigger enables multicast-triggered 802.1X authentication.

The undo dot1x mc-trigger disables multicast-triggered 802.1X authentication.

By default, multicast-triggered 802.1X authentication is enabled.

Format

dot1x mc-trigger

undo dot1x mc-trigger

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If a client (for example, the built-in 802.1X client of the Windows operating system) cannot send an EAPOL-Start packet to perform 802.1X authentication, you can enable multicast-triggered 802.1X authentication. After that, the device multicasts an Identity EAP-Request frame to the client to trigger authentication.

Prerequisites

802.1X authentication has been enabled globally and on the interface using the dot1x enable command.

Example

# Enable multicast-triggered 802.1X authentication.

<HUAWEI> system-view
[HUAWEI] dot1x mc-trigger
Related Topics

dot1x mc-trigger port-up-send enable

Function

The dot1x mc-trigger port-up-send enable command enables the function of triggering 802.1X authentication through multicast packets immediately after an interface goes Up.

The undo dot1x mc-trigger port-up-send enable command disables the function of triggering 802.1X authentication through multicast packets immediately after an interface goes Up.

By default, the function of triggering 802.1X authentication through multicast packets immediately after an interface goes Up is disabled.

Format

dot1x mc-trigger port-up-send enable

undo dot1x mc-trigger port-up-send enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, the device periodically multicasts EAP-Request/Identity packets to clients so that the clients are triggered to send EAPOL-Start packets for 802.1X authentication. If the device interface connecting to a client changes from Down to Up, the client needs to send EAPOL-Start packets again for 802.1X authentication, which takes a long time. You can run the dot1x mc-trigger port-up-send enable command on the device to enable the device interface to multicast EAP-Request/Identity packets to the client to trigger 802.1X authentication immediately after the interface goes Up. This configuration shortens the re-authentication time.

Precautions

When the access control mode on the device interface is based on the MAC address, the dot1x mc-trigger port-up-send enable command does not take effect.

Example

# Enable the function of triggering 802.1X authentication through multicast packets immediately after an interface goes Up.

<HUAWEI> system-view
[HUAWEI] dot1x mc-trigger port-up-send enable

dot1x port-control

Function

The dot1x port-control command sets the authorization state of an interface.

The undo dot1x port-control command restores the default authorization state of an interface.

By default, the authorization state of an interface is auto.

Format

In the system view:

dot1x port-control { auto | authorized-force | unauthorized-force } interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

undo dot1x port-control interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

In the interface view:

dot1x port-control { auto | authorized-force | unauthorized-force }

undo dot1x port-control

Parameters

Parameter

Description

Value

auto

Indicates the auto identification mode. In this mode, an interface is initially in Unauthorized state and only allows users to send and receive EAPOL packets. Users cannot access network resources. After the users are authenticated, the interface becomes authorized and allows the users to access network resources.

-

authorized-force

Indicates the forcible authorization mode. In this mode, the interface is always in Authorized state and allows users to access network resources without authentication and authorization.

-

unauthorized-force

Indicates the forcible unauthorized mode. In this mode, the interface is always in Unauthorized state and forbids users to access network resources.

-

interface { interface-type interface-number1 [ to interface-number2 ] }

Specifies the interface type and number.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

Views

System view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The auto mode is recommended. Only authenticated users can access network resources. To trust all users on an interface without authentication, configure the authorized-force mode. To disable access rights of all users on an interface to ensure security, configure the unauthorized-force mode.

Prerequisites

802.1X authentication has been enabled globally and on an interface using the dot1x enable command.

Precautions

The cards configured in limiting-mac mode do not support user access.

When there are online 802.1X users on an interface, the dot1x port-control command must not be run; otherwise, the system displays alarm information.

It is recommended that you set the authorization state of an interface in the early stage of network deployment. When the network is running properly, run the cut access-user command to disconnect all users from the interface before changing the authorization state.

Example

# Set the authorization state of GE1/0/1 to unauthorized-force in the system view.

<HUAWEI> system-view
[HUAWEI] dot1x port-control unauthorized-force interface gigabitethernet 1/0/1

# Set the authorization state of GE1/0/1 to unauthorized-force in the interface view.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dot1x port-control unauthorized-force

dot1x port-method

Function

The dot1x port-method command sets the 802.1X access control method of an interface.

The undo dot1x port-method command sets the default 802.1X access control method of an interface.

By default, 802.1X access control on an interface is based on MAC addresses.

Format

In the system view:

dot1x port-method { mac | port } interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

undo dot1x port-method interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

In the interface view:

dot1x port-method { mac | port }

undo dot1x port-method

Parameters

Parameter

Description

Value

mac

Indicates that users are authenticated based on their MAC addresses.

-

port

Indicates that users are authenticated based on their access interfaces.

-

interface { interface-type interface-number1 [ to interface-number2 ] }

Indicates the interface type and number.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

Views

System view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

802.1X access control can be based on MAC addresses or interfaces.

  • When the mac method is used, all 802.1X users on an interface are authenticated one by one. If a user goes offline, other users on this interface are not affected. The mac method is applicable to individual users.
  • When the port method is used, all the other 802.1X users on an interface can use network resources as long as one user is authenticated successfully. When the authenticated user goes offline, other users cannot use network resources. The port method is applicable to group users.

Prerequisites

802.1X authentication has been enabled globally and on an interface using the dot1x enable command.

Precautions

  • When there are online 802.1X users on an interface, do not run the dot1x port-method command to change the access control method on the interface.

  • If the access control method of an interface is set to port, only one 802.1X users can access the interface. After you run the undo dot1x port-method command, MAC address-based access control is enabled, but still only one user can access the interface. You can run the dot1x max-user command to increase the maximum number of 802.1X users as required.

Example

# Set the 802.1X access control method on GE1/0/1 in the system view to port.

<HUAWEI> system-view
[HUAWEI] dot1x port-method port interface gigabitethernet 1/0/1

# Set the 802.1X access control method on GE1/0/1 in the interface view to port.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dot1x port-method port

dot1x quiet-period

Function

The dot1x quiet-period command enables the quiet timer function.

The undo dot1x quiet-period command disables the quiet timer function.

By default, the quiet timer function is enabled.

Format

dot1x quiet-period

undo dot1x quiet-period

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the quiet timer function is enabled, if the number of authentication failures of an 802.1X user exceeds a specified value (set using the dot1x quiet-times command) within 60 seconds, the user enters a quiet period. During the quiet period, the device discards the 802.1X authentication request packets from the user. This prevents the impact on the system due to frequent user authentication.

The value of the quiet timer is set using the dot1x timer command. When the quiet timer expires, the device re-authenticates the user.

Precautions

To make the configuration take effect, run the dot1x enable command twice to enable global and interface-based 802.1X user authentication.

Example

# Enable the quiet timer.

<HUAWEI> system-view
[HUAWEI] dot1x quiet-period
Related Topics

dot1x quiet-times

Function

The dot1x quiet-times command sets the maximum number of authentication failures within 60 seconds before an 802.1X user enters the quiet state.

The undo dot1x quiet-times command restores the default setting.

By default, an 802.1X user enters the quiet state after ten authentication failures within 60 seconds.

Format

dot1x quiet-times fail-times

undo dot1x quiet-times

Parameters

Parameter

Description

Value

fail-times

Specifies the maximum number of authentication failures before the 802.1X user enters the quiet state.

The value is an integer that ranges from 1 to 10.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After the quiet timer function of the device is enabled using the dot1x quiet-period command, if the number of authentication failures of an 802.1X user exceeds the value that is set using the dot1x quiet-times command within 60 seconds, the user enters the quiet state. This prevents the impact on the system due to frequent user authentication.

Example

# Set the maximum number of authentication failures within 60 seconds to 4.

<HUAWEI> system-view
[HUAWEI] dot1x quiet-times 4
Related Topics

dot1x reauthenticate

Function

The dot1x reauthenticate command enables periodic 802.1X re-authentication on an interface.

The undo dot1x reauthenticate command disables periodic 802.1X re-authentication on an interface.

By default, periodic 802.1X re-authentication is disabled on an interface.

Format

In the system view:

dot1x reauthenticate interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

undo dot1x reauthenticate interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

In the interface view:

dot1x reauthenticate

undo dot1x reauthenticate

Parameters

Parameter

Description

Value

interface { interface-type interface-number1 [ to interface-number2 ] }

Specifies the interface type and number.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

Views

System view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After modifying the authentication information of an online user on the authentication server, the administrator needs to re-authenticate the user in real time to ensure user validity.

After the user goes online, the device saves user authentication information. After 802.1X re-authentication is enabled using the dot1x reauthenticate command, the device sends the stored authentication information of the online user to the authentication server for re-authentication at an interval. If the authentication information of the user does not change on the authentication server, the user is online normally. If the authentication information has been changed, the user is forced to go offline. The user then needs to be re-authenticated according to the changed authentication information.
NOTE:

The re-authentication interval is set using the dot1x timer reauthenticate-period command.

Precautions

If periodic 802.1X re-authentication is enabled, a large number of 802.1X authentication logs are generated.

If the device is connected to a server for re-authentication and the server replies with a re-authentication deny message that makes an online user go offline, it is recommended that you locate the cause of the re-authentication failure on the server or disable the re-authentication function on the device.

Example

# Enable periodic 802.1X re-authentication on GE1/0/1 in the system view.

<HUAWEI> system-view
[HUAWEI] dot1x reauthenticate interface gigabitethernet 1/0/1

# Enable periodic 802.1X re-authentication on GE1/0/1 in the interface view.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dot1x reauthenticate

dot1x reauthenticate mac-address

Function

The dot1x reauthenticate mac-address command enables re-authentication for an online 802.1X user with the specified MAC address.

By default, re-authentication is disabled for an online 802.1X user with the specified MAC address.

Format

dot1x reauthenticate mac-address mac-address

Parameters

Parameter

Description

Value

mac-address

Specifies the MAC address of an 802.1X user to be re-authenticated.

The value is in H-H-H format. H contains 1 to 4 hexadecimal digits.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

For details, see dot1x reauthenticate.

The dot1x reauthenticate mac-address and dot1x reauthenticate commands re-authenticate online 802.1X users and their difference is as follows:
  • The dot1x reauthenticate mac-address command configures the device to re-authenticate a specified user for once.
  • The dot1x reauthenticate command configures the device to re-authenticate all users on a specified interface at intervals.

Example

# Enable re-authentication for an 802.1X user with the MAC address of 00e0-fc01-0005.

<HUAWEI> system-view
[HUAWEI] dot1x reauthenticate mac-address 00e0-fc01-0005

dot1x retry

Function

The dot1x retry command configures the number of times an authentication request or handshake packet is retransmitted to an 802.1X user.

The undo dot1x retry command restores the default configuration.

By default, the device can retransmit an authentication request or handshake packet to an 802.1X user twice.

Format

dot1x retry max-retry-value

undo dot1x retry

Parameters

Parameter

Description

Value

max-retry-value

Specifies the number of times an authentication request or handshake packet is retransmitted to an 802.1X user.

The value is an integer that ranges from 1 to 10.

By default, the device can retransmit an authentication request or handshake packet to an 802.1X user twice.

The default value is recommended.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

If the device does not receive any response from a user within a specified time after sending an authentication request or handshake packet to the user, the device sends the authentication request or handshake packet again. If the authentication request or handshake packet has been sent for the maximum retransmission times and no response is received, the user authentication or handshake fails. In this process, the total number of authentication requests or handshake packets sent by the device is max-retry-value plus 1.

NOTE:
  • After you run the dot1x retry command, the setting takes effect on all interfaces enabled with 802.1X authentication.
  • Repeated authentication requests occupy a lot of system resources. When using the dot1x retry command, you can set the maximum number of times according to user requirements and device resources. The default value is recommended.
  • The interval for sending authentication requests is set using the dot1x timer command. The interval for sending authentication requests to offline users is controlled by the tx-period and client-timeout timer, and the interval for sending authentication requests to online users is controlled by the handshake-period timer.
  • The dot1x retry command is used together with the guest VLAN function (for details, see authentication guest-vlan). If a user does not respond within the specified maximum number of times, the user is added to the guest VLAN so that the user can access resources in the guest VLAN without being authenticated.

Example

# Set the number of times an authentication request or handshake packet can be retransmitted to 802.1X users to 4.

<HUAWEI> system-view
[HUAWEI] dot1x retry 4

dot1x timer

Function

The dot1x timer command sets values of timers used in 802.1X authentication.

The undo dot1x timer command restores the default settings of timers used in 802.1X authentication.

By default, the values of timers used in 802.1X authentication are not set.

Format

dot1x timer { arp-detect arp-detect-value | client-timeout client-timeout-value | handshake-period handshake-period-value | eth-trunk-access handshake-period handshake-period-value | quiet-period quiet-period-value | tx-period tx-period-value | mac-bypass-delay delay-time-value | free-ip-timeout free-ip-time-value }

undo dot1x timer { arp-detect | client-timeout | handshake-period | eth-trunk-access handshake-period | quiet-period | tx-period | mac-bypass-delay | free-ip-timeout }

Parameters

Parameter

Description

Value

arp-detect arp-detect-value

Specifies the timeout interval of the ARP detect.

The value is 0 or an integer that ranges from 5 to 7200, in seconds. 0 indicates that the ARP detect function is disabled.

The default ARP detect interval is 120 seconds.

client-timeout client-timeout-value

Specifies the timeout interval of the authentication response from the client.

NOTE:

On the network, some terminals may delay in responding to EAP-Request/MD5 Challenge packets sent from the device. If the delay is long, you can increase client-timeout client-timeout-value so that these terminals can go online. The adjustment rule is as follows:

3 x client-timeout client-timeout-value > Terminal response delay

The value is an integer that ranges from 1 to 120, in seconds.

By default, the timeout interval of the authentication response from the client is 5 seconds.

handshake-period handshake-period-value

Specifies the handshake interval between the device and 802.1X authentication client connected to a non-Eth-Trunk interface.

For details, see dot1x handshake.

The value is an integer that ranges from 5 to 7200, in seconds.

By default, the interval for sending handshake packets is 60 seconds.

eth-trunk-access handshake-period handshake-period-value

Specifies the handshake interval between the device and 802.1X authentication client connected to an Eth-Trunk.

For details, see dot1x handshake.

The value is an integer that ranges from 30 to 7200, in seconds.

By default, the interval for sending handshake packets is 120 seconds.

quiet-period quiet-period-value

Specifies the quiet period.

For details, see dot1x quiet-period.

The value is an integer that ranges from 1 to 3600, in seconds.

By default, the quiet period of a user who fails authentication is 60 seconds.

tx-period tx-period-value

Specifies the interval for sending authentication requests.

The device starts the tx-period timer in either of the following situations:
  • When the client initiates authentication, the device sends a unicast Request/Identity request packet to the client and starts the tx-period timer. If the client does not respond within the period set by the timer, the device retransmits the authentication request packet.
  • To authenticate the 802.1X clients that cannot initiate authentication, the device sends multicast Request/Identity packets through the 802.1X-enabled interface to the clients at the interval set by the tx-period timer.

The value is an integer that ranges from 1 to 120, in seconds.

By default, the interval for sending authentication requests is 30 seconds.

mac-bypass-delay delay-time-value

Specifies the value of the delay timer for MAC address bypass authentication.

After MAC address bypass authentication is configured, the device performs 802.1X authentication and starts the delay timer for MAC address bypass authentication. If 802.1X authentication fails after the value of the delay timer is reached, the device performs MAC address bypass authentication.

The value is an integer that ranges from 1 to 300, in seconds.

By default, the value of the delay timer for MAC address bypass authentication is 30s.

free-ip-timeout free-ip-time-value

Specifies the aging time of authentication-free user entries.

When the 802.1X free IP subnet is configured, the device creates authentication-free user entries after receiving ARP/DHCP packets from 802.1X users. If users go offline abnormally, the authentication-free user entries cannot be deleted. To prevent this problem, the aging time of authentication-free user entries can be configured.

The value is an integer that ranges from 0 to 71581, in minutes. The value 0 indicates that authentication-free user entries do not age.

By default, authentication-free user entries do not age.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

During 802.1X authentication, multiple timers implement systematic interactions between access users, access devices, and the authentication server. You can change the values of the timers using the dot1x timer command to adjust the interaction process. (The values of some timers cannot be changed.) This command is necessary in special network environments. Generally, the default settings of the timers are recommended.

The ARP probe function can also be implemented by detecting whether there is user traffic on the access device. If the ARP probe interval is n, the device detects user traffic at n and 2n. The following uses the 0-n period as an example. The process during the n-2n period is the same as that during 0-n.
  • If user traffic passes through the device within the 0-n period, the device considers that the user is online at n, and will not send ARP probe packets. Additionally, the device resets the ARP probe interval.
  • If no user traffic passes through the device within the 0-n period, the device cannot determine whether the user is online at n. In this case, the device sends an ARP probe packet. If the device receives an ARP reply packet from the user, it considers the user online and resets the ARP probe interval. If no ARP reply packet is received, the device considers the user offline.
  • If user traffic passes through the device or the device receives an ARP reply packet from the user within the 2n-3n period, the device considers that the user is online at 3n and resets the ARP probe interval.
  • If no user traffic passes through the device and the device receives no ARP reply packet from the user within the 2n-3n period, the device cannot determine whether the user is online at 3n and considers the user offline.
If the device considers that the user is offline at n, 2n, and 3n, the device deletes all entries related to the user. To prevent the user from going offline unexpectedly when no operation is performed on the PC, do not set a short ARP probe interval.

Example

# Set the timeout interval of the authentication response from the client to 90s.

<HUAWEI> system-view
[HUAWEI] dot1x timer client-timeout 90

dot1x timer reauthenticate-period

Function

The dot1x timer reauthenticate-period command sets the re-authentication interval for 802.1X authentication users.

The undo dot1x timer reauthenticate-period command restores the default re-authentication interval.

By default, the re-authentication interval is 3600 seconds.

Format

dot1x timer reauthenticate-period reauthenticate-period-value

undo dot1x timer reauthenticate-period

Parameters

Parameter

Description

Value

reauthenticate-period-value

Specifies the re-authentication interval for 802.1X address authentication users.

To reduce the impact on the device performance when many users exist, the user re-authentication interval may be longer than the configured re-authentication interval.

The value is an integer that ranges from 1 to 65535, in seconds.

Views

System view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

After enabling the re-authentication function for online 802.1X authentication users using the dot1x reauthenticate command, run the dot1x timer reauthenticate-period command to set the re-authentication interval. The device then authenticates online users at the specified interval, ensuring that only authorized users can keep online.

If the command is executed in the system view, the function takes effect on all interfaces. If the command is executed in both system view and interface view, the function takes effect on the interface.

NOTE:

It is recommended that the re-authentication interval be set to the default value. If multiple ACLs need to be delivered during user authorization, you are advised to disable the re-authentication function or set a longer re-authentication interval to improve the device's processing performance.

In remote authentication and authorization, if the re-authentication interval is set to a shorter time, the CPU usage may be higher.

To reduce the impact on the device performance when many users exist, the user re-authentication interval may be longer than the configured re-authentication interval.

Example

# Set the 802.1X re-authentication interval to 7200 seconds.

<HUAWEI> system-view
[HUAWEI] dot1x timer reauthenticate-period 7200
Related Topics

dot1x trigger dhcp-binding

Function

The dot1x trigger dhcp-binding command enables the device to automatically generate the DHCP snooping binding table after static IP users pass 802.1X authentication.

The undo dot1x trigger dhcp-binding command restores the default setting.

By default, the device does not automatically generate the DHCP snooping binding table after static IP users pass 802.1X authentication.

Format

dot1x trigger dhcp-binding

undo dot1x trigger dhcp-binding

Parameters

None

Views

GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Scenario

There are unauthorized users who modify their MAC addresses to those of authorized users. After authorized users are connected through 802.1X authentication, the unauthorized users can obtain the same identities as the authorized users and connect to the network without authentication. This results in security risks of authentication and accounting. After accessing the network, unauthorized users can also initiate ARP spoofing attacks by sending bogus ARP packets. In this case, the device records incorrect ARP entries, greatly affecting normal communication between authorized users. To prevent the previous attacks, configure IPSG and DAI. These two functions are implemented based on binding tables. For static IP users, you can run the user-bind static command to configure the static binding table. However, if there are many static IP users, it takes more time to configure static binding entries one by one.

To reduce the workload, you can configure the device to automatically generate the DHCP snooping binding table for static IP users. After the static IP users who pass 802.1X authentication send EAP packets to trigger generation of the user information table, the device automatically generates the DHCP snooping binding table based on the MAC address, IP address, and interface recorded in the table.

You can run the display dhcp snooping user-bind command to check the DHCP snooping binding table that is generated by the device for static IP users who pass 802.1X authentication. The DHCP snooping binding table generated using this function will be deleted after the users are disconnected.

Follow-up Procedure

Configure IPSG and DAI after the DHCP snooping binding table is generated, prevent attacks from unauthorized users.

Precautions

  • Before configuring the device to generate the DHCP snooping binding table for static IP users, you must have enabled 802.1X authentication and DHCP snooping globally and on interfaces using the dot1x enable and dhcp snooping enable commands.

  • The EAP protocol does not specify a standard attribute to carry IP address information. Therefore, if the EAP request packet sent by a static IP user does not contain an IP address, the IP address information in the DHCP snooping binding table is obtained from the user' first ARP request packet with the same MAC address as the user information table after the user passes authentication. On a network, unauthorized users may forge authorized users' MAC addresses to initiate ARP snooping attacks to devices, and the DHCP snooping binding table generated accordingly may be unreliable. Therefore, the dot1x trigger dhcp-binding command is not recommended and you are advised to run the user-bind static command to configure the static binding table.

  • For users who are assigned IP addresses using DHCP, you do not need to run the dot1x trigger dhcp-binding command on the device. The DHCP snooping binding table is generated through the DHCP snooping function.

Example

# Enable the device to automatically generate the DHCP snooping binding table after static IP users pass 802.1X authentication.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dot1x trigger dhcp-binding

dot1x unicast-trigger

Function

The dot1x unicast-trigger command enables 802.1X authentication triggered by unicast packets.

The undo dot1x unicast-trigger command disables 802.1X authentication triggered by unicast packets.

By default, 802.1X authentication triggered by unicast packets is disabled.

Format

In the system view:

dot1x unicast-trigger interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

undo dot1x unicast-trigger interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

In the interface view:

dot1x unicast-trigger

undo dot1x unicast-trigger

Parameters

Parameter

Description

Value

interface { interface-type interface-number1 [ to interface-number2 ] }

Specifies the interface type and number.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

Views

System view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

After the dot1x unicast-trigger command is used on the device, the device sends a unicast packet to respond to the received ARP or DHCP Request packet from a client. If the client does not respond within the timeout interval (set by the dot1x timer command), the device retransmits the unicast packet (the maximum of retransmission count is set by the dot1x retry command). During 802.1X-based network deployment, 802.1X users can start 802.1X authentication without installing specified client dial-in software, which facilitates network deployment.
NOTE:

The dot1x unicast-trigger command has the same function as the dot1x dhcp-trigger command.

Example

# Enable 802.1X authentication triggered by unicast packets on GE1/0/1 in the system view.

<HUAWEI> system-view
[HUAWEI] dot1x unicast-trigger interface gigabitethernet 1/0/1
Related Topics

dot1x url

Function

The dot1x url command configures the redirect-to URL in 802.1X authentication.

The undo dot1x url command cancels the redirect-to URL configuration in 802.1X authentication.

By default, no redirect-to URL is configured in 802.1X authentication.

Format

dot1x url url-string

undo dot1x url

Parameters

Parameter Description Value
url-string Specifies the redirect-to URL. The value is a string of 1 to 200 case-sensitive characters.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In the early stage of network deployment, 802.1X client deployment is difficult with heavy workload. You can run the dot1x url command to set the redirect-to URL to the 802.1X client download web page address. When a user uses a web browser to access websites other than the free IP subnet, the device redirects the user to the redirect-to URL where the user can download and install the 802.1X client software after receiving the HTTP packet from the user.

Follow-up Procedure

Run the dot1x free-ip command to configure a free IP subnet where the redirect-to URL of the 802.1X user is located.

Precautions

The redirect-to URL must be within the free IP subnet. Otherwise, the URL is inaccessible.

Example

# Configure the redirect-to URL in 802.1X authentication to http://www.123.com.cn.

<HUAWEI> system-view
[HUAWEI] dot1x url http://www.123.com.cn

force-push

Function

The force-push command enables the forcible URL template or URL push function.

The undo force-push command disables the forcible URL template or URL push function.

By default, the forcible URL template or URL push function is disabled.

Format

force-push { url-template template-name | url url-address }

undo force-push

Parameters

Parameter

Description

Value

url-template template-name

Specifies the name of a pushed URL template.

The value must be the name of an existing URL template.

url url-address

Specifies a pushed URL.

It is a string of 1 to 200 case-sensitive characters that do not contain spaces and question marks (?). When double quotation marks are used around the string, spaces are allowed in the string.

Views

AAA domain view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After a user is successfully authenticated, the device forcibly redirect the user to a web page when receiving the HTTP packet from the user who accesses web pages for the first time. In addition to pushing advertisement pages, the device can obtain user terminal information through the HTTP packets sent by the users, and apply the information to other services. There are two ways to push web pages:
  1. URL: pushes the URL corresponding to the web page.
  2. URL template: pushes the URL template. A URL template must be created. The URL template contains the URL of the pushed web page and URL parameters.

Prerequisites

The URL configured using the url (URL template view) command in the URL template view cannot be a redirection URL; otherwise, the command does not take effect.

Precautions

For a user who goes online through the X series cards, the forcible push function takes effect only for the first HTTP packet received from the user. If an application program that actively sends HTTP packets is installed on the user terminal, the terminal has sent the HTTP packet before the user accesses a web page. Therefore, the user is unaware of the web page push process.

The forcible push function takes effect only when a redirection ACL is configured for users who go online from cards excluding the X series cards. If a redirection ACL exists in the user table, a web page is forcibly pushed when HTTP packets from users match the redirection ACL rule. Usually, you can configure the RADIUS server to authorize the Huawei extended RADIUS attribute HW-Redirect-ACL to users for redirection ACL implementation, or run the redirect-acl command to configure a redirection ACL.

Example

# Push the URL template abc in the domain huawei.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain huawei
[HUAWEI-aaa-domain-huawei] force-push url-template abc

http get-method enable

Function

The http get-method enable command configures the device to allow users to submit user name and password information to the device in GET mode during Portal authentication.

The undo http get-method enable command restores the default setting.

By default, the device does not allow users to submit user name and password information to the device in GET mode during Portal authentication.

Format

http get-method enable

undo http get-method enable

Parameters

None

Views

Portal server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, the device does not allow users to submit user name and password information to the device in GET mode during Portal authentication. You can run the http get-method enable command to configure the device to allow users to submit user name and password information to the device in GET mode during Portal authentication.

Precautions

The GET mode has the risk of password disclosure. Therefore, the POST mode is recommended.

This command only applies to scenarios in which HTTP or HTTPS is used for Portal connection establishment.

Example

# Configure the device to allow users to submit user name and password information to the device in GET mode during Portal authentication.

<HUAWEI> system-view
[HUAWEI] web-auth-server abc
[HUAWEI-web-auth-server-abc] http get-method enable

http-method post

Function

The http-method post command configures parameters for parsing and replying to POST request packets of the HTTP or HTTPS protocol.

The undo http-method post command restores the default configuration.

By default, the system has configured parameters for parsing and replying to POST request packets of the HTTP or HTTPS protocol. For details, see the "Parameters" table.

Format

http-method post { cmd-key cmd-key [ login login-key | logout logout-key ] * | init-url-key init-url-key | login-fail response { err-msg { authenserve-reply-message | msg msg } | redirect-login-url | redirect-url redirect-url [ append-reply-message msgkey ] } | login-success response { msg msg | redirect-init-url | redirect-url redirect-url } | logout-fail response { msg msg | redirect-url redirect-url } | logout-success response { msg msg | redirect-url redirect-url } | password-key password-key | user-mac-key user-mac-key | userip-key userip-key | username-key username-key } *

undo http-method post { all | { cmd-key | init-url-key | login-fail | login-success | logout-fail | logout-success | password-key | user-mac-key | userip-key | username-key } * }

Parameters

Parameter

Description

Value

cmd-key cmd-key

Specifies the command identification keyword. The default value is cmd.

The value is a string of 1 to 16 case-sensitive characters without spaces, question marks (?), ampersands (&), and equal signs (=).

login login-key

Specifies the user login identification keyword. The default value is login.

The value is a string of 1 to 15 case-sensitive characters without spaces, question marks (?), ampersands (&), and equal signs (=).

logout logout-key

Specifies the user logout identification keyword. The default value is logout.

The value is a string of 1 to 15 case-sensitive characters without spaces, question marks (?), ampersands (&), and equal signs (=).

init-url-key init-url-key

Specifies the identification keyword for the user initial login URL. The default value is initurl.

The value is a string of 1 to 16 case-sensitive characters without spaces, question marks (?), ampersands (&), and equal signs (=).

login-fail response { err-msg { authenserve-reply-message | msg msg } | redirect-login-url | redirect-url redirect-url [ append-reply-message msgkey ] }

Specifies the response message upon a user login failure.

  • err-msg authenserve-reply-message: The authentication server response message is displayed after a user login failure.
  • err-msg msg msg: A specified message is displayed after a user login failure.
  • redirect-login-url: A user is redirected to the login URL after a login failure. This mode is the default mode.
  • redirect-url redirect-url: A user is redirected to a specified URL after a login failure.
  • append-reply-message msgkey: specifies the identification keyword for the authentication server response message carried in the redirection URL.
  • msg: The value is a string of 1 to 200 case-sensitive characters without spaces, question marks (?), ampersands (&), and equal signs (=).

  • redirect-url: The value is a string of 1 to 200 case-sensitive characters without spaces.

  • msgkey: The value is a string of 1 to 16 case-sensitive characters without spaces, question marks (?), ampersands (&), and equal signs (=).
login-success response { msg msg | redirect-init-url | redirect-url redirect-url }

Specifies the response message upon successful user login.

  • msg msg: A specified message is displayed after successful user login.
  • redirect-init-url: A user is redirected to the initial login URL after successful login. This mode is the default mode.
  • redirect-url redirect-url: A user is redirected to a specified URL after successful login.
  • msg: The value is a string of 1 to 200 case-sensitive characters without spaces, question marks (?), ampersands (&), and equal signs (=).

  • redirect-url: The value is a string of 1 to 200 case-sensitive characters without spaces.

logout-fail response { msg msg | redirect-url redirect-url }

Specifies the response message upon a user logout failure.

  • msg msg: A specified message is displayed after a user logout failure. The default value is LogoutFail!.
  • redirect-url redirect-url: A user is redirected to a specified URL after a logout failure.
  • msg: The value is a string of 1 to 200 case-sensitive characters without spaces, question marks (?), ampersands (&), and equal signs (=).

  • redirect-url: The value is a string of 1 to 200 case-sensitive characters without spaces.

logout-success response { msg msg | redirect-url redirect-url }

Specifies the response message upon successful user logout.

  • msg msg: A specified message is displayed after successful user logout. The default value is LogoutSuccess!.
  • redirect-url redirect-url: A user is redirected to a specified URL after successful logout.
  • msg: The value is a string of 1 to 200 case-sensitive characters without spaces, question marks (?), ampersands (&), and equal signs (=).

  • redirect-url: The value is a string of 1 to 200 case-sensitive characters without spaces.

password-key password-key

Specifies the password identification keyword. The default value is password.

The value is a string of 1 to 16 case-sensitive characters without spaces, question marks (?), ampersands (&), and equal signs (=).

user-mac-key user-mac-key

Specifies the identification keyword for the user MAC address. The default value is macaddress.

The value is a string of 1 to 16 case-sensitive characters without spaces, question marks (?), ampersands (&), and equal signs (=).

userip-key userip-key

Specifies the identification keyword for the user IP address. The default value is ipaddress.

The value is a string of 1 to 16 case-sensitive characters without spaces, question marks (?), ampersands (&), and equal signs (=).

username-key username-key

Specifies the user name identification keyword. The default value is username.

The value is a string of 1 to 16 case-sensitive characters without spaces, question marks (?), ampersands (&), and equal signs (=).

all

Indicates all parameters.

-

Views

Portal server template view

Default Level

2: Configuration level

Usage Guidelines

When the device uses the HTTP or HTTPS protocol to communicate with the Portal server, a user sends POST request packets (carrying parameters such as the user name and MAC address) to the device as required by the Portal server. After receiving the POST request packets, the device parses parameters in the packets. If identification keywords of the parameters differ from those configured on the device, the user authentication fails. Therefore, you need to run the http-method post command to configure the identification keywords based on the Portal server configuration.

After successful user login or logout, or a user login or logout failure, the device sends the login or logout result to the user based on the http-method post command configuration. For example, the device sends the LogoutSuccess! message to a user who logs out successfully by default.

Example

# Set the command identification keyword to cmd1 for parsing POST request packets of the HTTP or HTTPS protocol.

<HUAWEI> system-view
[HUAWEI] web-auth-server abc
[HUAWEI-web-auth-server-abc] http-method post cmd-key cmd1

mac-authen

Function

The mac-authen command enables MAC address authentication globally or on an interface.

The undo mac-authen command disables MAC address authentication globally or on an interface.

By default, MAC address authentication is disabled globally and on an interface.

Format

In the system view:

mac-authen [ interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> ]

undo mac-authen [ interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> ]

In the interface view:

mac-authen

undo mac-authen

Parameters

Parameter

Description

Value

interface { interface-type interface-number1 [ to interface-number2 ] }

Specifies the interface type and number.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

Views

System view, VLANIF interface view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

MAC address authentication controls network access rights of a user based on the user's access interface and MAC address. During MAC address authentication, the user name and password are the user's MAC address. MAC address authentication is applicable to the scenario where MAC addresses are unchanged and high security is not required, and is used to authenticate terminals such as printers where the authentication client cannot be installed.

If you run the mac-authen command in the system view without any interfaces specified, MAC address authentication is enabled globally. The configurations of MAC address authentication take effect only after global MAC address authentication is enabled. MAC address bypass authentication is not controlled by this command.

To enable MAC address authentication on an interface, you can perform either of the following operations:
  • Run the mac-authen command in the interface view.
  • Run the mac-authen interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> command in the system view.

Precautions

  • The cards configured in limiting-mac mode do not support user access.
  • Before running the undo mac-authen command, ensure that there is no online MAC address authentication user; otherwise, you cannot run this command. Online MAC address authentication users do not include online users using MAC address bypass authentication.

  • After MAC address authentication is enabled on a VLANIF interface, the guest VLAN, critical VLAN, or dynamic VLAN authorization is invalid to the MAC address authentication users on the VLANIF interface.
  • Before enabling MAC address authentication on the VLANIF interface, ensure that the strict ARP entry learning function is disabled using the undo arp learning strict command. If the function is enabled, the users cannot go online.
  • After the static MAC address entry is configured using the mac-address static mac-address interface-type interface-number vlan vlan-id command, the user corresponding to the entry cannot pass MAC address authentication.
  • If MAC address authentication is enabled on an interface, the following commands cannot be used on the same interface. If the following commands are configured on an interface, MAC address authentication cannot be enabled on the same interface.

    Command

    Function

    mac-limit

    Sets the maximum number of MAC addresses that can be learned by an interface.

    mac-address learning disable

    Disables MAC address learning on an interface.

    port link-type dot1q-tunnel

    Sets the link type of an interface to QinQ.

    port vlan-mapping vlan map-vlan

    port vlan-mapping vlan inner-vlan

    Configures VLAN mapping on an interface.

    port vlan-stacking

    Configures selective QinQ.

    mac-vlan enable

    Enables MAC address-based VLAN assignment on an interface.

    ip-subnet-vlan enable

    Enables IP subnet-based VLAN assignment on an interface.

    user-bind ip sticky-mac

    Enables the device to generate snooping MAC entries.

Example

# Enable global MAC address authentication.

<HUAWEI> system-view
[HUAWEI] mac-authen

# Enable MAC address authentication on GE1/0/1 in the system view.

<HUAWEI> system-view
[HUAWEI] mac-authen
[HUAWEI] mac-authen interface gigabitethernet 1/0/1

# Enable MAC address authentication on GE1/0/1 in the interface view.

<HUAWEI> system-view
[HUAWEI] mac-authen
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] mac-authen

mac-authen trigger

Function

The mac-authen trigger command configures the packet types that can trigger MAC address authentication.

The undo mac-authen trigger command restores the default configuration.

By default, DHCP/ARP/DHCPv6/ND packets can trigger MAC address authentication.

Format

In the system view:

mac-authen { dhcp-trigger | arp-trigger | dhcpv6-trigger | nd-trigger } * [ interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> ]

undo mac-authen { dhcp-trigger | arp-trigger | dhcpv6-trigger | nd-trigger } * [ interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> ]

In the interface view:

mac-authen { dhcp-trigger | arp-trigger | dhcpv6-trigger | nd-trigger } *

undo mac-authen { dhcp-trigger | arp-trigger | dhcpv6-trigger | nd-trigger } *

Parameters

Parameter

Description

Value

dhcp-trigger

Triggers MAC address authentication through DHCP packets.

-

arp-trigger

Triggers MAC address authentication through ARP packets.

-

dhcpv6-trigger

Triggers MAC address authentication through DHCPv6 packets.

-

nd-trigger

Triggers MAC address authentication through ND packets.

-

interface { interface-type interface-number1 [ to interface-number2 ] }

Specifies the interface type and number.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

If this parameter is not specified, the command takes effect on all interfaces.

-

Views

System view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After MAC address authentication is enabled, the device can trigger MAC address authentication on users by default when receiving DHCP/ARP/DHCPv6/ND packets. Based on user information on the actual network, the administrator can adjust the packet types that can trigger MAC address authentication. For example, if all users on a network dynamically obtain IPv4 addresses, the device can be configured to trigger MAC address authentication only through DHCP packets. This prevents the device from continuously sending ARP packets to trigger MAC address authentication when static IPv4 addresses are configured for unauthorized users on the network, and reduces device CPU occupation.

Precautions

If the command is configured globally, the configuration takes effect on multiple interfaces. If the command is configured globally and on an interface, the configuration on the interface takes precedence.

The mac-authen trigger command also enables MAC address authentication. When both the mac-authen trigger and mac-authen commands are configured on an interface, the last configured one takes effect. If the mac-authen configuration takes effect on the interface, DHCP, ARP, DHCPv6, and ND packets can trigger MAC address authentication.

Example

# Configure the device to trigger MAC address authentication only through DHCP packets in the system view.

<HUAWEI> system-view
[HUAWEI] mac-authen dhcp-trigger
Related Topics

mac-authen dhcp-trigger dhcp-option

Function

The mac-authen dhcp-trigger dhcp-option command enables the device to send DHCP option information to the authentication server when triggering MAC address authentication through DHCP packets.

The undo mac-authen dhcp-trigger dhcp-option command restores the default configuration.

By default, the device does not send DHCP option information to the authentication server when triggering MAC address authentication through DHCP packets.

Format

In the system view:

mac-authen dhcp-trigger dhcp-option option-code [ interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> ]

undo mac-authen dhcp-trigger dhcp-option option-code [ interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> ]

In the interface view:

mac-authen dhcp-trigger dhcp-option option-code

undo mac-authen dhcp-trigger dhcp-option option-code

Parameters

Parameter Description Value
option-code

Specifies the option that the device sends to the authentication server.

The value is fixed as 82.